The cyberattack against Co-op is significantly more severe than the company initially stated, according to new information shared by the hackers behind the breach.
The criminal group, identifying themselves as “DragonForce”, contacted the BBC directly and presented evidence showing they had stolen substantial quantities of personal data from the Co-op’s internal systems.
Go deeper with GlobalData
The group claims to hold the details of up to 20 million people linked to the retailer’s membership scheme.
Co-op has since confirmed that information relating to a large number of current and former members has been accessed. The company had previously downplayed the impact, saying there was “no evidence that customer data was compromised” and describing the breach as having a “small impact” on its operations.
Hackers accessed internal chats and databases
DragonForce provided screenshots to the BBC showing messages sent directly to Co-op’s head of cyber security via Microsoft Teams on 25 April, where they claimed to have “exfiltrated the data” and accessed the customer database and member card data.
The group also claimed to have contacted other senior executives as part of an extortion attempt.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataCo-op employees have since been instructed to keep cameras on during virtual meetings, avoid recording or transcribing calls, and verify all participants—steps believed to be a direct response to the hackers gaining access to internal communications.
According to the BBC, DragonForce also shared samples of sensitive data, including usernames and passwords of staff and the personal details of 10,000 customers. This data reportedly includes names, addresses, email addresses, phone numbers, and membership card numbers.
Co-op discloses breach following hacker contact
Following the hackers’ disclosure to the media, Co-op issued a more detailed statement to staff and regulators. The company said the stolen data included names and contact details of members but not passwords, payment information, or details of products and services used.
Co-op operates more than 2,500 supermarkets and 800 funeral homes across the UK and employs approximately 70,000 people. It is now working with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) to investigate the breach and secure its systems.
The membership database is considered a core asset for the company and potentially lucrative to criminals. While DragonForce has not revealed how it plans to use the stolen data, it is widely believed that the motive is financial extortion.
Government urges firms to prioritise cyber security
The UK government has responded to the breach, with Cabinet Office minister Pat McFadden warning businesses to treat cyber security as a top priority. National security officials have held talks with the NCSC and affected retailers, including Co-op.
“This should be a wake-up call,” McFadden is expected to say in a speech next week. “Companies must treat cyber security as an absolute priority. Just as you would never leave your house or car unlocked, we must do the same with our digital systems.”
The DragonForce group is known for its ransomware operations and offers tools for other criminals to carry out attacks.
Security experts say the techniques used are consistent with those of “Scattered Spider” or “Octo Tempest”—loose collectives of English-speaking hackers, some reportedly teenagers, who operate through messaging platforms like Telegram and Discord.
Co-op has apologised for the incident and reiterated its commitment to protecting customer and employee data.
