The hackers, operating under the name DragonForce, have contacted the BBC with evidence showing they penetrated IT systems and extracted substantial volumes of customer and employee information.
The Co-op acknowledged that hackers had “accessed data relating to a significant number of our current and past members.” This contradicts earlier statements that it had implemented “proactive measures” against hackers, operations were only experiencing “small impact” and there was “no evidence that customer data was compromised”.
The hackers claim to possess personal information of 20 million Co-op membership programme participants, though the company has not verified this figure. DragonForce also claimed responsibility for the ongoing Marks & Spencer attack and an attempted breach at Harrods.
These incidents prompted government minister Pat McFadden to urge companies to prioritise cyber security measures.
The evidence includes screenshots of extortion messages sent to Co-op’s head of cybersecurity via internal Microsoft Teams on April 25, stating: “Hello, we exfiltrated the data from your company. We have customer database, and Co-op member card data.”
The hackers shared databases containing employee credentials and a sample of 10,000 customer records, including membership numbers, personal details, addresses, emails and phone numbers. The BBC reports that it has since destroyed this data.
The breach explains why Co-op staff were recently instructed to keep cameras on during Teams meetings, avoid recording calls and verify participant identities – measures implemented because hackers had accessed internal communications systems.
The Co-op released said on Friday: “We are continuing to experience sustained malicious attempts by hackers to access our systems. This is a highly complex situation, which we continue to investigate in conjunction with the National Cyber Security Centre and the National Crim Agency.
“We have implemented measures to ensure that we prevent unauthorised access to our systems whilst minimising disruption for our members, customers, colleagues and partners.
“As a result of ongoing forensic investigations, we now know that the hackers were able to access and extract data from one of our systems.
“The accessed data included information relating to a significant number of our current and past members.
“This data includes Co-op Group members’ personal data such as names and contact details, and did not include members’ passwords, bank or credit card details, transactions, or information relating to any members’ or customers’ products or services with the Co-op Group.
“We appreciate that our members have placed their trust in our Co-op when providing information to us. Protecting the security of our members’ and customers’ data is a priority, and we are very sorry that this situation has arisen.”