Hot on the heels of Marks & Spencer suffering a cyber attack, the Co-operative Group has become the latest high-profile UK retailer targeted in a major cyberattack—one that now appears far more serious than initially disclosed.
A ransomware group calling itself DragonForce contacted the BBC with proof of a large-scale data breach, claiming they had exfiltrated sensitive personal data from Co-op’s internal systems.
The stolen information reportedly includes names, home addresses, phone numbers, email addresses, and membership card details of up to 20 million current and former members. The bad actor also shared employee usernames and passwords and screenshots of conversations with Co-op’s cybersecurity leadership.
This contradicts Co-op’s earlier public statements downplaying the incident. Initially, the mutual said it had taken “proactive measures” with only a “small impact” on operations and no evidence of customer data compromise. But after being contacted with evidence by the BBC, Co-op confirmed that personal data had in fact been stolen, although they insisted no passwords, bank or credit card details, or transactional data were included.
Cybercriminals Demand Ransom
DragonForce claims to have accessed Microsoft Teams chats and calls, even sending extortion messages directly to Co-op’s cybersecurity chief, which said it had exfiltrated the data from the company, including customer database, and Co-op member card data.
Following this, Co-op said it enforced stricter internal communication protocols, including keeping cameras on during video calls, barring recordings, and verifying participant identities to mitigate risk of further intrusion.
The group behind the attack is known for both encrypting data and stealing it, a double-extortion approach to ransomware approach aimed at applying maximum pressure to get its victims to cough up the ransom.
DragonForce is believed to operate as a ransomware-as-a-service gang, with links to groups like Scattered Spider, an English-speaking hacker collective with members reportedly as young as teenagers, and the culprits behind the Marks & Spencer incident.
A Broader Threat to UK Retailers
DragonForce also claimed to be behind the attempted breach of Harrods, suggesting that UK retail giants are under attack. While Co-op has not confirmed the extent of this coordination, the UK’s National Cyber Security Centre (NCSC) and National Crime Agency (NCA) are working with affected organizations to investigate potential links.
The fallout is prompting government minister Pat McFadden, to urge companies to “treat cyber security as an absolute priority,” this week in a keynote address he is set to give.
Operational Impact and Public Response
While Co-op’s physical stores and funeral services are operating normally, internal systems—including stock monitoring and legal services—have been disrupted. Remote access has been restricted for some staff members, and there are concerns that supply chain issues may crop up if IT functions are not restored quickly.
In its latest statement, the Co-op said: “While we have been able to protect our Co-op from significant trading disruption, which is often the intent of these sorts of attacks, I am very sorry that this member information was accessed. While there is no impact to your account, and you can continue to trade with us as normal, I appreciate that members will be concerned.”
Stay Vigilant
Dray Agha, senior manager of security operations at Huntress said: “This incident aligns with a broader trend we’re seeing where attackers increasingly target retail and essential services with initial access attempts, often through phishing or credential abuse, before escalating to ransomware or data theft. Defenders must stay vigilant, especially in sectors managing large volumes of sensitive customer and payment data.
“This is a timely reminder of why continuous threat detection and rapid response are critical. Real-time investigation and intervention mean the difference between an interruption and a catastrophe.”
Retail in the Crosshairs
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, says the incident underscores the growing cybersecurity challenges facing the retail sector. “The Co-op’s swift response in restricting access to certain systems demonstrates a commendable prioritisation of cybersecurity.”
This incident highlights the critical role of technology in modern retail operations and its potential vulnerabilities, adds Malik. “As retailers increasingly rely on digital systems for everything from inventory management to customer service, they inadvertently expand their attack surface, making them attractive targets for cybercriminals. No single system should be considered to be non-business critical. All systems are reliant on one another and when one goes down or is compromised, it can have a knock-on effect on others.”
Malik says the fact that other major retailers like Morrisons and WH Smith have been in similar situation points to a broader trend of escalating cyber threats in the sector, which is why it’s important that retailers view cybersecurity not only as an IT concern, but as a fundamental part of business. “This involves not only investing in technical defences but also fostering a culture of cybersecurity awareness throughout the organisation where everyone plays their role in keeping the organisation secure.”
Relying on IoT Devices
Many retailers are increasingly relying on IoT devices to do everything from product pricing to stock takes and, while this undoubtedly delivers some efficiency gains, it also brings risks with it, comments Jamie Akhtar, CEO and Co-founder at CyberSmart.
IoT devices are notorious from providing cybercriminals easy routes into wider systems. They often come with rudimentary security as default and many businesses simply don’t realise the importance of updating things like operating systems and firmware regularly, meaning these devices are often riddled with vulnerabilities.
There’s no suggestion yet, that this is what has happened in this instance. What’s more, The Coop should be applauded for doing everything right in their response to the threat. Nevertheless this is a growing risk for retailers, and it’s partly why we’re seeing so many high-profile attacks.”
A Troubling Pattern
Martin Greenfield. CEO at Continuous Controls Monitoring platform, Quod Orbis, says: “The issues in these cases appears to have stemmed from a third party, showing just how important it is to have in-depth and real-time visibility across the whole IT ecosystem to prevent breaches.”
The Co-op incident so closely following the incident with M&S earlier this week indicates a troubling pattern we’ve seen among major UK retailers, Greenfield adds. “In both incidents, whilst the swift operational response and containment have been commendable, the real damage had already been done.”
Greenfield says retailers operate within vast digital ecosystems where third-party providers who are responsible for handling everything from payments to logistics can become hidden vulnerabilities. “Just as with M&S, the impact on Co-op’s contactless payments suggests exposure through a third-party system. These outsourced services often lack the same level of scrutiny or continuous monitoring, leaving retailers blind to emerging threats, often until it’s too late.
“While scaling back operations may be a necessary step to limit further exposure, it’s an inherently reactive response. Much like in the M&S example, Co-op now faces not just immediate disruption, but potential long-term fallout in customer trust, especially if loyalty platforms or online channels are affected,” Greenfield says
Taking both incidents and their abundant similarities into consideration, the lesson here is clear: security assurance must shift from periodic checks to real-time, embedded oversight across both internal systems and partner environments, Greenfield adds. “The complexity of legacy infrastructure paired with modern technology stacks introduces risks that can’t always be effectively mitigated with traditional models.
“Resilience in retail today requires continuous visibility, not just across IT, but within operational and supplier workflows. That’s the only way to stay ahead of threats in an industry where reputation, trust, and timing are everything.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.