Co-op CEO acknowledges personal data has been stolen from all 6.5M Co-op Group members

Published: 18 July 2025
Last updated: 18 July 2025
co-op-attack
Image by Getty Images/Mike Kemp.

Shirine Khoury-Haq, CEO of the Co-op Group, has confirmed that all of its 6.5 million members had their data stolen in a recent cyberattack.

“I’m devastated that information was taken. I’m also devastated by the impact that it took on our colleagues, as well as they tried to contain all of this,” she said in an interview with the BBC on Wednesday.

Khoury-Haq declares that full names, home addresses, email addresses, phone numbers, and dates of birth were stolen. The attackers didn’t succeed in exfiltrating financial data, purchase history, or other transaction data, she added.

ADVERTISEMENT

During the interview, the CEO of the Co-op Group said that she was “incredibly sorry” for the incident and that it felt personal to her because of its impact on her colleagues.

“Early on, I met with our IT staff, and they were in the midst of it. I will never forget the looks on their faces, trying to fight off these criminals,” she said.

The data breach has been linked to a ransomware operation called Scattered Spider, which deployed DragonForce ransomware to pull off the cyberattack. Members of the gang claimed to have stolen private information of 20 million Co-op customers. According to Khoury-Haq, personal information of 6.5 million current and former Co-op Group Members has been taken.

Linas Kmieliauskas jurgita Konstancija Gasaityte profile James Caunt
Stay informed and get our latest stories on Google News
Google News Follow us

Last week, the National Crime Agency (NCA) arrested four people suspected of being involved in the cyberattacks on Co-op, Marks & Spencer, and Harrods: a 17-year-old British man from the West Midlands, a 19-year-old Latvian man from the West Midlands, a 19-year-old British man from London, and a 20-year-old British woman from Staffordshire.

They’re accused of suspicion of blackmail, money laundering, offences under the Computer Misuse Act, and participating in a criminal organization. The suspects were all arrested at their home addresses. Their computers were seized for digital forensic analysis.

“Today’s arrests are a significant step in that investigation, but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice,” Deputy Director Paul Foster, Head of the NCA’s National Cyber Crime Unit, said in response.

ADVERTISEMENT

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT