The Co-op has confirmed that a cyber attack in April exposed the personal details of all 6.5 million of its members, in what the retailer’s leadership is calling one of the largest data breaches in the history of UK retail.
Addressing the incident publicly for the first time, CEO Shirine Khoury-Haq said the breach had a “devastating” effect on both customers and employees, and described the attack as “deeply personal.” Speaking to BBC Breakfast, Khoury-Haq stated: “No financial or transactional data was taken, but names, addresses, and contact details were accessed. It hurt my members… and that I take personally.”
The National Crime Agency (NCA) has since arrested four people — three teenagers and a 20-year-old woman — in connection with the breach, following a coordinated operation across Staffordshire, London, and the West Midlands. According to the NCA, the group faces allegations of blackmail, money laundering, Computer Misuse Act violations, and organised crime activity.
The attack on Co-op formed part of a broader surge in cyber breaches targeting leading UK retailers, including Marks & Spencer and Harrods. Investigators say the group attempted to deploy ransomware within Co-op’s systems, but IT staff halted the effort by cutting internet connectivity — a step that may have prevented wider business disruption. Nevertheless, Co-op later confirmed that hackers had accessed a significant volume of customer and employee information, including data linked to its profit-sharing scheme.
Marks & Spencer reportedly suffered operational losses totalling £300 million as a result of a related incident, and is preparing a £100 million cyber insurance claim. By contrast, Co-op and Harrods did not hold cyber insurance at the time of the attacks, potentially exposing them to greater financial and reputational risk.
Khoury-Haq detailed the company’s internal response, noting: “I met with our IT staff while they were in the thick of it. I will never forget the expressions on their faces as they tried to fend off these intruders.” She added that once the hackers were expelled from Co-op’s systems, the company monitored the group’s activity in real time and passed intelligence to law enforcement. “People will be anxious, and all members should be worried,” she said.
The incident has renewed scrutiny of cybersecurity practices among UK retailers, especially those handling large volumes of personal data and operating on legacy IT infrastructure. In the aftermath, Co-op experienced disruptions to contactless payments and customer service lines in May, though full payment functionality was restored by mid-month. Co-op operates under a mutual structure, with its members as part-owners of the business.
A spokesperson for Co-op said: “Hacking is not a crime without victims. We’ve been fully engaged with the NCA throughout and are pleased that this has resulted in arrests on behalf of our members.”
