Co-op breach exposes data of 6.5 million members; officials cite Scattered Spider group

The Co-op Group has confirmed a cyberattack that compromised the personal data of its 6.5 million members, raising alarms across the British retail sector and prompting renewed calls for stronger cybersecurity standards.

The April 2025 breach involved unauthorized access to a membership database containing names and contact information. According to the Co-op, financial and transactional records were not affected. The attackers were reportedly intercepted before ransomware could be deployed.

Chief executive Shirine Khoury-Haq disclosed the full extent of the incident during an appearance on BBC Breakfast this week, apologizing to members and staff. “I’m incredibly sorry,” she said, adding that some of the compromised data may already be circulating online.

The breach is believed to be the work of the hacking group known as Scattered Spider, based on assessments by security experts and with medium confidence. The U.K.’s National Crime Agency recently arrested four individuals aged 17 to 20 in connection with a string of cyberattacks against major retailers, including M&S and Harrods. All have been released on bail pending further investigation.

Operational impacts included temporary product shortages in some Co-op locations, further underscoring risks to national food supply chains.

In response to the incident, Co-op announced a partnership with The Hacking Games, a non-profit initiative aimed at guiding neurodiverse youth toward careers in ethical cybersecurity — a proactive step to counter criminal recruitment tactics.

Cybersecurity experts have called the breach a critical inflection point for U.K. retail, urging organizations to strengthen digital resilience in the face of increasingly sophisticated threats. Co-op officials said they continue to monitor for any misuse of compromised data and are advising members to be cautious of phishing attempts and potential identity theft.