Co-op boss admits data breach affected all 6.5 million members

Group does not expect to recover the majority of costs resulting from the incident

Co-op CEO Shirine Khoury-Haq admits that a cyberattack earlier this year compromised the personal data of all 6.5 million of its members

Speaking to the BBC Breakfast, Co-op CEO Shirine Khoury-Haq said she was "incredibly sorry" for the April breach, which exposed names, addresses, and contact details of every member of the group.

However, she said no financial data, such as credit card numbers or transaction histories was stolen during the attack.

"We know a lot of that information is out there anyway, but people will be worried and all members should be concerned," said Ms Khoury-Haq.

"It hurt my members, they took their data, and it hurt our customers and that I do take personally."

The breach, which forced parts of Co-op's IT systems offline in late April, disrupted several of the organisation's services. Gaps appeared on shelves in some of its 2,000 grocery stores, and over 800 funeral parlours temporarily reverted to paper-based operations due to the loss of access to digital systems.

Initially, the group had stated only that a "significant number" of customers were affected but had not confirmed the full extent. The admission that every member's data was compromised marks a significant escalation in the scope of the breach.

Despite having robust early-warning systems in place that detected suspicious activity within hours, Co-op acknowledged it did not carry cyber-insurance and therefore does not expect to recover most of the costs resulting from the incident.

Meanwhile, a major investigation into the cyberattacks on Co-op, Marks & Spencer, and Harrods has led to the arrests of four individuals, three of them teenagers.

The National Crime Agency (NCA) confirmed last week that a 17-year-old male from the West Midlands, a 19-year-old male also from the West Midlands, a 19-year-old male from London, and a 20-year-old woman from Staffordshire were all taken into custody from their homes.

The individuals were arrested on suspicion of blackmail, money laundering, offences under the Computer Misuse Act, and participation in an organised crime group. All have since been bailed pending further inquiries.

Authorities are investigating possible links between the suspects and Scattered Spider – a loosely affiliated network of English-speaking hackers known for recruiting teenagers and young adults.

The group has previously been connected to high-profile cyberattacks in both the UK and US, and several of its known members are believed to be minors.

In response to the attack, Co-op is partnering with The Hacking Games, a social impact organisation aimed at channelling youth cyber talent, particularly among neurodivergent individuals, into ethical cybersecurity careers.

The initiative will begin in 38 schools affiliated with the Co-op Academies Trust, with long-term ambitions to influence cybersecurity education across the UK.

"At Co-op, we can't just stand back and hope it doesn't happen again - to us or to others," said Khoury-Haq.

"Our members expect us to find a cooperative means of tackling the cause, not just the symptom."

She added that the new partnership aims to "reach talented young people early, guide their skills toward protection rather than harm, and open real paths into ethical work."