.jpg)
.svg)
Shirine Khoury-Haq, the chief executive of Co-op, confirmed that the personal data of all 6.5 million members was stolen during a cyber-attack on the retailer in April. Speaking on BBC Breakfast in her first public interview since the breach, she said:
“I’m devastated that information was taken. I’m also devastated by the impact it had on our colleagues as they tried to contain all of this.”
She clarified that no financial or transactional data was stolen — only names, addresses, and contact details of members were compromised.
Meanwhile, police investigating the cyber-attacks on Co-op and M&S arrested four people last week; they have all been released on bail. Those arrested include a 17-year-old British male from the West Midlands, a 19-year-old Latvian man also from the West Midlands, a 19-year-old British man from London, and a 20-year-old British woman from Staffordshire. According to the National Crime Agency (NCA), they were detained on suspicion of blackmail, money laundering, offences under the Computer Misuse Act, and involvement in organised crime. Electronic devices were also seized during the arrests.
Khoury-Haq said she felt “incredibly sorry” about the incident, describing it as personal because of how it affected both her colleagues and Co-op members:
“Early on I met with our IT staff who were in the middle of fighting it off. I will never forget the looks on their faces, trying to stop these criminals.”
She added that, even though the hackers were eventually removed from Co-op’s systems, the damage had already been done:
“We know a lot of that information is already out there anyway, but people will understandably be worried — and all members should be concerned.”
The Co-op operates a membership scheme where members receive a share of the organisation’s profits. Khoury-Haq noted how painful it was to see members’ trust violated:
“It hurt my members, they took their data, and it hurt our customers — and that I take personally.”
Co-op has not disclosed how much the cyber-attack will ultimately cost but confirmed it is still working to fully restore its back-end systems. As part of its response to the attack, the retailer is partnering with a cybersecurity recruitment company called The Hacking Games, which identifies young people with hacking skills and guides them into legal cybersecurity careers.
Fergus Hay, CEO of The Hacking Games, explained:
“Research shows that if you offer these young people talent development and legitimate career opportunities, the vast majority of them will choose the right path.”
The company plans to pilot a programme with the Co-op Academies Trust, which runs 38 schools across England.
What happened in the cyber-attacks?
Co-op was one of three major retailers — alongside Marks & Spencer (M&S) and Harrods — targeted by cyber-attacks in spring this year.
On April 30, Co-op announced it had been hacked, initially suggesting it would only have a “small impact” on its call centre and back-office operations. However, days later, after being contacted by the alleged hackers, BBC News revealed that customer and employee data had indeed been accessed.
Co-op later admitted the criminals had stolen data belonging to a significant number of current and former members. According to information from the attackers, Co-op managed to disconnect its IT systems from the internet just in time to prevent the deployment of ransomware, which could have caused even more serious damage.
M&S also suffered a data breach and is still in the process of restoring its systems, with the disruption reportedly costing it millions of pounds.
