The chief executive of the Co-op has apologised to its customers after admitting that all 6.5 million of the mutual’s members had their data stolen in a recent cyber-attack.
Shirine Khoury-Haq told the BBC she was “incredibly sorry” for the attack in which names and addresses and contact information was obtained by hackers.
She said no financial information, such as credit or debit card details, or transaction data was stolen in the hack, which occurred in April.
“We know a lot of that information is out there anyway, but people will be worried and all members should be concerned,” she said.
Previously, the company had only said that a “significant number” of its customers’ data had been accessed by the hackers, but did not give a precise figure.
“It hurt my members, they took their data and it hurt our customers and that I do take personally,” Khoury-Haq said.
The group, which owns more than 2,000 grocery stores, more than 800 funeral parlours and also offers legal and financial services, was forced to shut down parts of its IT systems in late April after discovering an attempted hack, days after Marks & Spencer also faced a serious cyber-incident.
The cyber-attack on the Co-op led to gaps on shelves in its grocery stores while its funeral parlours forced to return to operating some services via paper-based systems without access to digital services.
Co-op executives told MPs recently that many of its systems were protected from attack because it had defences in place which detected unusual behaviour within a few hours.
However, the company admitted it was not expecting to make “any significant recovery” of the costs of the hack from insurers as it chose to invest in detection systems rather than cyber-insurance policies.
Last week, four people including three teenagers were arrested at addresses in the West Midlands, Staffordshire and London as part of an investigation into the cyber-attacks on the Co-op, M&S and Harrods, which all occurred within days of one another.
The National Crime Agency, which is investigating the hacks alongside the police, is looking at the involvement of Scattered Spider, a loose collective of native English-speaking hackers.
The Information Commissioner’s Office, the UK’s data protection watchdog, has said those concerned about their personal information should visit its website for advice and support.
Retailers and their suppliers have faced a series of cyber-attacks in recent years including Morrisons, which was affected by an incident at its tech supplier Blue Yonder in the run-up to Christmas last year.
In 2023, WH Smith was hit by an attack in which company data was accessed illegally, including the personal details of current and former employees.
