Co-op, London. Credit: WD Stock Photos, Shutterstock
The CEO of the Co-op, Shirine Khoury-Haq, has confirmed that all 6.5 million members of the mutual had their personal data stolen in a major cyberattack discovered in April 2025.
“It hurt my members… and that I do take personally,” Khoury-Haq told the BBC, adding she was “incredibly sorry” for the breach.
The stolen information included names, addresses, and contact details, but no financial data like card numbers or transactions were accessed. The Co-op initially reported only a “significant number” of members had been affected.
The attack forced the group – which owns over 2,000 grocery stores and 800 funeral parlours – to shut down IT systems. Some services reverted to paper-based operations, and shelves were left empty due to supply chain disruptions.
Four people, including three teenagers, were arrested last week in connection with the Co-op, M&S, and Harrods cyberattacks. The National Crime Agency is investigating potential links to Scattered Spider, an English-speaking hacker collective.
The Information Commissioner’s Office has urged concerned members to visit its website for support.
Should more UK firms be legally required to hold cyber insurance?
View all UK news.
View all finance news.
