In April 2025, the UK-based Retailer Co-op experienced a significant data breach in which cybercriminals accessed and exfiltrated personal information belonging to the company’s entire membership base of 6.5 million individuals. The attack forms part of a wider pattern of sophisticated cyber incidents targeting major UK retailers in recent months.
According to Co-op officials, the breach exposed member data including names, addresses, email addresses, and phone numbers. No financial details, bank account information, card numbers, passwords, or transaction records were compromised in the incident. The company’s internal IT team acted swiftly to contain the breach, cutting off internet access to critical systems and preventing the deployment of ransomware, which could have caused more severe operational and data losses.
The attackers are believed to be linked to the cybercriminal group known as “Scattered Spider,” which has previously targeted organizations across sectors with data-theft and extortion tactics. Law enforcement responded quickly, and four UK-based individuals — three teenagers and a 20-year-old woman — were arrested in connection with the attack. They face charges relating to blackmail, money laundering, and membership in an organized crime group.
Shortly after the breach, Co-op’s chief executive, Shirine Khoury-Haq, issued a public apology, expressing deep regret for the incident and its impact on both members and employees. She acknowledged the distress caused by the breach and reaffirmed the organization’s commitment to improving cybersecurity measures. The company is currently working with the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) as investigations continue and additional safeguards are implemented.
Though Co-op avoided more extensive damage thanks to prompt containment efforts, the breach caused temporary disruptions in store operations, including payment processing issues and restocking delays. It also raised serious concerns around data handling and transparency, particularly given that the retailer did not have cyber insurance in place at the time of the attack.
