Co-op Confirms Data Breach Impacting 6.5 Million Members Following April Ransomware Attack
The Co-operative Group (Co-op), one of the UK’s largest consumer co-operatives, has officially confirmed that the personal data of 6.5 million members was stolen in a major cyberattack earlier this year. The incident, which occurred in April, forced the organization to shut down critical IT systems, causing widespread operational disruption, including food shortages across its grocery store network.
The Co-op operates food stores, insurance, legal services, and funeral care, and is collectively owned by millions of members. These members not only receive service discounts but also participate in the company’s governance structure.
Co-op CEO Publicly Acknowledges Data Theft and Apologizes to Members
Appearing on BBC Breakfast, Co-op CEO Shirine Khoury-Haq confirmed that attackers successfully accessed and exfiltrated data of all 6.5 million members. She described the breach as a deeply personal blow to both customers and staff:
“Their data was copied, and the criminals did have access to it like they do when they hack other organizations. That is the awful part of this unfortunately,”
— Shirine Khoury-Haq, CEO, Co-op
She added:
“It was personal to me because it hurt them. It hurt my members. They took their data and it hurt our customers, and that I do take personally.”
Although no financial or transactional data was exposed, the attackers did obtain contact and personal information of members.
How the Attack Unfolded: Social Engineering and Lateral Movement
Initially downplayed as an attempted intrusion, the breach was later classified as a large-scale compromise involving unauthorized data access. According to sources, the intrusion began on April 22 after a social engineering campaign allowed attackers to reset an employee’s password.
Once inside, the threat actors moved laterally through the network and stole the NTDS.dit file—Microsoft’s Active Directory database containing hashed passwords for user accounts. Stealing this file is a common tactic used to crack user credentials offline and escalate access.
Attribution to Scattered Spider and Connection to DragonForce Ransomware
BleepingComputer sources attributed the breach to affiliates of the Scattered Spider threat group—a ransomware actor also involved in the Marks & Spencer (M&S) and MGM Resorts attacks. In those campaigns, the DragonForce ransomware encryptor was deployed.
The BBC spoke directly with the DragonForce operator, who confirmed one of its affiliates conducted the Co-op attack. The group also shared stolen corporate and customer data samples as proof of exfiltration.
UK Law Enforcement Responds with Arrests of Suspected Cybercriminals
In response to the Co-op breach and related incidents, the UK’s National Crime Agency (NCA) arrested four suspects linked to the cyberattacks targeting Co-op, M&S, and Harrods. Those arrested include:
- Two 19-year-old males
- One 17-year-old male
- One 20-year-old female
The arrests were made in London and the West Midlands. One of the individuals is reportedly connected to the 2023 MGM Resorts ransomware attack, which involved encryption of over 100 VMware ESXi systems. That incident was also linked to Scattered Spider, operating in coordination with the BlackCat (ALPHV) ransomware group at the time.
Why This Matters for Enterprise Security Teams
The Co-op incident demonstrates how even member-driven, non-profit organizations are being targeted by sophisticated ransomware actors. Threat groups like Scattered Spider are increasingly exploiting social engineering to bypass perimeter defenses, aiming to extract sensitive identity data and deploy ransomware across critical infrastructure.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
