Cybercriminal group “DragonForce” has told BBC News that their cyberattack on Co-op was significantly more severe than what the company has publicly disclosed.
The hackers provided evidence that they had successfully infiltrated Co-op’s IT systems, claiming to have extracted a vast amount of personal data belonging to both customers and employees.
Following inquiries from the BBC on Friday, a Co-op spokesperson admitted that attackers had “accessed data relating to a significant number of our current and past members.”
Previously, Co-op stated it had taken “proactive measures” to defend against the intrusion and downplayed the impact, calling it “small” and saying there was “no evidence that customer data was compromised.”
However, DragonForce alleges it obtained sensitive information from over 20 million members who signed up for Co-op’s loyalty program. The company has declined to confirm the accuracy of this number.
The group also claims responsibility for a recent cyberattack on Marks & Spencer (M&S) and a failed hacking attempt targeting Harrods, suggesting a broader campaign against major UK retailers.
#1Hackers Leak Evidence of Co-op Breach, Including Sensitive Employee and Customer Data
The hacker group behind the cyberattack on Co-op, known as DragonForce, has provided new evidence to the BBC suggesting their breach was deep and deliberate. The group shared screenshots showing their first extortion message, sent via Microsoft Teams to Co-op’s head of cybersecurity on April 25.
“Hello, we exfiltrated the data from your company,” the message reads. “We have customer database, and Co-op member card data.”
Hackers claim they also contacted other executives as part of an organized blackmail attempt and showed screenshots of a video call with the head of security that allegedly took place about a week ago.
With over 2,500 supermarkets, 800 funeral homes, and a nationwide insurance business, Co-op is one of the UK’s most recognizable retail chains, employing approximately 70,000 staff across the country.
After the attack was made public on Wednesday, new security measures were swiftly implemented. On Thursday, internal sources revealed that Co-op employees were instructed to keep cameras on during meetings, avoid call recordings or transcripts, and confirm the identities of all participants — precautions now believed to be direct responses to the hackers’ infiltration of internal communications.
To further demonstrate their access, DragonForce shared employee login credentials and a sample dataset of 10,000 customer records, including full names, home addresses, Co-op membership numbers, phone numbers, and email addresses.
The BBC has confirmed receipt of the data, destroyed all copies, and will not publish or distribute the sensitive material.
#2Co-op Confirms Major Data Breach After Hacker Group DragonForce Releases Evidence
Following direct contact from the BBC, UK retail giant Co-op has officially disclosed the full scope of a major cyber attack that compromised personal data of its members. The confirmation comes after the hacker group DragonForce provided screenshots and sample data proving their access to internal systems.
A company spokesperson admitted that the stolen data includes names and contact details of Co-op Group members, but clarified that no passwords, financial information, or transaction history were affected.
The membership database, long considered one of Co-op’s most valuable assets, was among the files accessed. DragonForce, a ransomware-as-a-service (RaaS) group, is reportedly using the breach as leverage in an extortion attempt, pressuring the company to pay up in exchange for silence.
Despite requests for details, the cybercriminals refused to explain what would happen to the data if the ransom wasn’t paid. They also declined to comment on related alleged attacks on M&S and Harrods, and ignored questions about the ethical or emotional impact of their actions.
DragonForce is notorious for both encrypting victims’ data and stealing it as part of their multi-pronged extortion tactics. The group allows affiliates to use its malware and infrastructure to launch their own attacks, making it difficult to track down the individuals behind any specific breach.
Cybersecurity experts have linked the tactics in this case to Scattered Spider (also known as Octo Tempest) — an English-speaking, loosely organized group of young hackers who operate via Telegram and Discord. Many of its members are reportedly teenagers, fluent in English, and highly capable of social engineering.
Conversations with the Co-op hacker — who identified himself as a “spokesperson” — were conducted via text. His tone and language fluency suggested a native or near-native English speaker.
Co-op is now working closely with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) to investigate the breach. The company has issued a public apology, stating it is "very sorry this situation has arisen" and that it is taking all necessary steps to protect affected members.
It’s by BBC.
Reactions
Already reacted for this post.
