A major supermarket chain has admitted that hackers accessed the details of customers in a cyberattack.
The group, calling itself DragonForce, said it had infiltrated Co-op’s IT network and stolen customer and employee data in its cyberattack on Wednesday.
The hackers claimed to have the private information of 20 million Co-op customers who signed up to the supermarket’s membership scheme.
The Co-op initially told the public the attack only had a “small impact” on operations and that there was “no evidence data was compromised”.
But the hackers, who also claimed to be behind the ongoing cyberattack on Marks & Spencer and an attempted attack on Harrods, said the breach was far more serious than the company first revealed.
The supermarket has now admitted that hackers “accessed data relating to a significant number of our current and past members”.
Screenshots of the messages sent to the Co-op’s head of cybersecurity in an internal Microsoft Teams chat on 25 April by DragonForce have been seen by the BBC.
The messages said: “Hello, we exfiltrated the data from your company.”
“We have customer database, and Co-op member card data,” the chat added.
The BBC also reported that hackers shared databases showing usernames and passwords of employees.
It also revealed that the cybercriminals had obtained customers’ data, including Co-op membership card numbers, names, home addresses, emails and phone numbers.
The Co-op has since apologised to its customers and explained the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) are assisting with the investigation.
A Co-op spokesperson said: “We are continuing to experience sustained malicious attempts by hackers to access our systems. This is a highly complex situation, which we continue to investigate in conjunction with the NCSC and the NCA.
“We have implemented measures to ensure that we prevent unauthorised access to our systems whilst minimising disruption for our members, customers, colleagues and partners.
“As a result of ongoing forensic investigations, we now know that the hackers were able to access and extract data from one of our systems. The accessed data included information relating to a significant number of our current and past members.
“This data includes Co-op Group members’ personal data such as names and contact details, and did not include members’ passwords, bank or credit card details, transactions or information relating to any members’ or customers’ products or services with the Co-op Group.
“We appreciate that our members have placed their trust in our Co-op when providing information to us. Protecting the security of our members’ and customers’ data is a priority, and we are very sorry that this situation has arisen.”