Co-op CEO Says Data Breach Is “Personal” as Retail Giant Grapples With Fallout From April Cyberattack
- Cyber Jill
- 4 hours ago
- 3 min read
After months of silence following a devastating cyberattack, Co-op CEO Shirine Khoury-Haq has spoken publicly for the first time, calling the incident “personal” and expressing heartbreak over the breach that exposed the data of 6.5 million members.
“I’m devastated,” Khoury-Haq said during a broadcast interview, describing not only the technical challenges but the emotional toll it has taken on staff and customers alike. “It hurt my members, they took their data, and it hurt our customers. That I do take personally.”
What Happened in April
The April breach, which also hit Marks & Spencer and Harrods, initially appeared to be a routine disruption. But it soon unraveled into a massive data compromise. While no financial data was taken, attackers gained access to names, addresses, and contact details—information ripe for phishing, fraud, and identity theft.
Khoury-Haq recalled visiting Co-op’s IT team as they struggled to contain the intrusion. “I will never forget the looks on their faces, trying to fight off these criminals—it was devastating.” Though the attackers were eventually removed from internal systems, the CEO acknowledged that some stolen information is likely still circulating online. “People will be worried,” she said, urging vigilance among members.
Four Arrested, But Uncertainty Lingers
Four individuals—three men aged 17 to 19 and a 20-year-old woman—were arrested in connection with the breach and later released on bail. The National Crime Agency said they are being investigated for potential blackmail, money laundering, and offenses under the Computer Misuse Act. Authorities seized digital devices but have not yet filed charges.
The Threat Actor Behind the Curtain
Security experts have linked the attack to Scattered Spider, a well-known cybercrime group notorious for using social engineering tactics to infiltrate call centers and help desks.
Andrew Costis, Engineering Manager at AttackIQ’s Adversary Research Team, said the Co-op breach should serve as a stark wake-up call.
“UK retail giant Co-op has announced that all 6.5 million of its customers had their data stolen during the April cyberattack on the company. The company’s CEO has issued an apology, stating Co-op is ‘very sorry’ for those whose information was breached. The attack on Co-op was part of a larger chain of cyberattacks on UK retailers in April 2025, including Marks & Spencer and Harrods. Those attacks were attributed to the cybercrime group Scattered Spider, which has been very active so far this year across numerous sectors. The group’s continued success serves as a reminder that attackers are continually exploiting human error and vulnerabilities. Organizations must ensure they can proactively prepare defenses to safeguard company and customer information. That means understanding the tactics, techniques, and procedures threat actors are leveraging. Regular security measure audits should be conducted to identify vulnerabilities and inform decisions on how to close the gaps.”
The FBI has also issued warnings about Scattered Spider’s expanding targets, including recent attempts to breach aviation industry networks using the same deceptive access techniques.
A Long Road to Recovery
The financial impact on Co-op is still being assessed, but similar breaches have cost companies tens of millions in damages and recovery costs. Khoury-Haq said restoring systems and rebuilding customer trust remains the top priority.
M&S, another victim in the spring cyber campaign, has faced major operational disruptions and continues to deal with the fallout.
David Stuart, cybersecurity evangelist at Sentra, believes the breach illustrates how outdated defenses leave legacy retailers vulnerable. “It demands full visibility into where data lives, what its security posture is, how it moves, and who can access it,” he said.
Fighting Cybercrime at the Source
Co-op is attempting a more holistic response by partnering with The Hacking Games and the Co-op Academies Trust to launch a talent development program aimed at identifying and mentoring potential ethical hackers within UK schools. The goal: steer tech-savvy youth away from cybercrime by providing alternative career pathways.
Looking Ahead
For Khoury-Haq, the attack wasn’t just a cybersecurity failure—it was a breach of trust. “This wasn’t just a system issue. It was personal. And we’re going to make sure it never happens again.”
But as cybercriminals continue to evolve, so too must the strategies to combat them. For organizations like Co-op, securing digital infrastructure is no longer optional—it’s existential.