Co-op Group’s chief executive officer has confirmed that all 6.5 million of the organization’s members had their data stolen during its April cyberattack – Scattered Spider is believed to be behind the digital heist.

Shirine Khoury-Haq confirmed the scale of the attack to the BBC Breakfast show on Wednesday, adding that the member file is what the attackers copied, but were thwarted before they could deploy ransomware.

“The good thing was because we did block them, they could not erase what they did,” she said.

“So we could monitor every mouse click, we saw every piece of code that they had written, we knew everywhere they went in our systems, and we were able to relay that back to the authorities.”

For a £1 ($1.34) fee, Co-op members become a part-owner in the retailer, giving them a say in how the business is run, as well as access to exclusive deal and discounts.

Asked whether members should be concerned about their data being in the hands of the attackers and potentially posted online, Khoury-Haq said she understood that many would be uneasy about that fact, but much of the data that was copied was most likely “out there” anyway.

This appeared to be an allusion to the possibility that the data copied and stolen pertained to personal details such as names and contact details.

Co-op had previously confirmed that no financial or transaction data was affected.

“Honestly, I’m devastated that information was taken,” the CEO added. “I’m also devastated by the impact that had on our colleagues as well as they tried to contain all of this.

“Early on, I met with our IT staff, and they were in the midst of it, and I will never forget the looks on their faces trying to fight off these criminals and protect our members’ data, and trying to protect our organization as well. That will never leave me.”

Khoury-Haq’s television appearance came hours after the Co-op announced a partnership with The Hacking Games, a social impact business, which aims to identify neurodiverse youth who may be vulnerable to drifting into cybercrime and channel their interests into pursuing ethical cybersecurity instead.

It said in an announcement that more than 50 percent of UK tech workers identify as neurodivergent, yet 71 percent of autistic adults in the UK are unemployed.

Co-op Group is chiefly known for its countrywide grocery stores and funeral parlors, but also runs Co-op Academies Trust, which oversees 38 Co-op-branded schools attended by 20,000 students.

The partnership aims to introduce initiatives to these students that inspire potential future cybersecurity offenders to put on the white hat in their chosen career path. The long-term ambition is that these efforts expand into the wider education system.

Greg Francis, cyber offender prevention consultant at 4D Cyber Security Ltd and former SOCA and NCA cybercrime investigator and prevention officer, said: “Unlike their offline counterparts, young people entering cybercrime receive little to no deterrents and are often left to self-police their online activities.

“There’s a vital role for stakeholders – from parents and educators to search engines, gaming platforms and the cybersecurity industry – to embrace their digital responsibility and help young people make informed choices.”

The National Crime Agency (NCA) arrested four individuals aged between 17 and 20 as part of its investigation into the attacks on British retail companies (including M&S and Harrods, as well as the Co-op) last week.

It told The Register this week that all four had been bailed pending further investigations, and none had been charged at this stage.

Retail attacks ‘a wake-up call’

Speaking to a parliamentary joint committee about the recently announced National Security Strategy, senior minister Pat McFadden said the costly attacks on the retailers should serve as a wake-up call for both government and other organizations.

Asked about the potential impact had the April attacks hit two of the three biggest supermarket chains in the UK – Tesco, Sainsbury’s, or Asda – instead of smaller ones like Co-op and M&S, McFadden said “who can say exactly,” but assured robust protections are in place.

May 2025: A Co-op store in Manchester warns of food availability issues on half-stocked shelves

The main concerns expressed by committee members centered around access to food. While Co-op and M&S were both able to keep their stores open during their recovery periods, empty or half-stocked shelves at some sites served as vivid reminders of how severe an attack on a grocer could be.

“I think that supermarkets have very robust food distribution systems,” McFadden said. “I don’t want to alarm the public here, but I would say those attacks did show the importance of strong cybersecurity, as I keep saying, in both public and private sectors. 

“I don’t want to sit here as a minister and say this is just a matter for the private sector, it’s obviously not, it’s a matter for all of us.”

On the topic of incentivization, which has been a common discussion among cybersecurity folk in recent years, the Cabinet Office minister said he believes it is “really important” that discussions are had with critical infrastructure providers on which the public rely. These include but are not limited to banking, energy, and food distribution.

Asked whether these providers are properly incentivized to invest in securing their infrastructure, McFadden told the committee:

“I don’t think you could ever say every risk is covered. But I think if you look at the experience of what has happened in the last couple of months, boards will be very conscious of the danger of this, seeing what it has done to a couple of Great British companies and household names in recent months.” ®