373/68 Tuesday, September 30, 2025
The cyberattack against Co-op in April had widespread consequences, leaving store shelves empty, exposing customer data, and causing the company to suffer over $275 million (approx. £206 million) in lost revenue. The food division was hit the hardest, with prolonged product shortages lasting several weeks. While Co-op was able to avoid a ransomware infection by segmenting its networks, the personal data of as many as 6.5 million members was still compromised.
The DragonForce cybercriminal group claimed responsibility for the attack, telling the BBC that it had stolen Co-op’s membership data. The group also shared screenshots of threatening messages sent via Microsoft Teams to the company’s Chief of Cybersecurity on April 25, along with reports of direct phone calls made to the Head of Security. DragonForce further claimed to have data on more than 20 million members, though Co-op has not confirmed that figure. Stolen data included names, addresses, emails, phone numbers, and dates of birth, but excluded passwords, bank card details, or transaction records. The company described the overall risk as “very low” and said no compensation would be offered, while continuing to provide normal membership benefits through promotions and discounts.
Shortly after the incident, the UK’s National Crime Agency (NCA) arrested four suspects aged 17–20 in London and the West Midlands on July 10, seizing all electronic devices for forensic examination. One suspect was identified as Latvian. All were charged under the Computer Misuse Act, as well as with blackmail, money laundering, and involvement in organized crime. Meanwhile, the Cyber Monitoring Centre (CMC) classified the attacks on both Co-op and Marks & Spencer (M&S) as Category 2 incidents, estimating the combined damages at £270–440 million.
