The chief executive of Co-op has confirmed that all 6.5m of its members had their data stolen in a cyber-attack on the retailer in April.
“I’m devastated that information was taken. I’m also devastated by the impact that it took on our colleagues as well as they tried to contain all of this,” Shirine Khoury-Haq told BBC Breakfast in her first public interview since the hack.
“There was no financial data, no transaction data but it was names and addresses and contact information that was lost,” she revealed.
Khoury-Haq added that she was “incredibly sorry” for the attack and that it was “personal” to her because of the impact that it had on her colleagues.
“Early on I met with our IT staff and they were in the midst of it. I will never forget the looks on their faces, trying to fight off these criminals,” she said.
Co-op runs on a membership scheme, where members are paid a share of the profits of the co-operative.
READ MORE: Revealed: Prolific North’s Top 50 Digital Agencies 2025
“It hurt my members, they took their data and it hurt our customers and that I do take personally,” Khoury-Haq added.
Co-op has not put a figure on how much the hack will cost them, but it says it is still working to restore back-end systems.
Among Co-op’s responses to the hack is a new partnership with cyber-security recruitment company The Hacking Games, which identifies young talent to channel their skills into legal careers.
“The research shows that if you offer these kids talent development opportunities and career opportunities, the vast majority of them will take the legitimate pathway,” said chief executive Fergus Hay.
It is now planning a pilot programme with Co-op Academies Trust, which runs 38 schools in England.
Lauren Wills-Dixon, head of data privacy at Leeds law firm Gordons, said: “Now that Co-op has confirmed that names and addresses of its members were stolen, it highlights once again the importance of cyber security measures for businesses, and indeed the risks in an increasingly digital world.
“Customer, employee or, in this case, members’ data makes an attractive target to hackers. Financial data wasn’t compromised, so this definitely could have been worse, but people will naturally be worried about their personal data being exposed to malicious actors in this way. Retailers are among the most common targets for cyber attacks because of the large amounts of customer data they hold, and the increased use of technology by the industry to reduce overheads and streamline operations has raised the risk even further.
“Legal requirements following an attack of this kind will depend on the exact nature of the breach, but can include reporting to the Information Commissioner’s Office (ICO) if individual rights and freedoms are at risk of harm. The ICO has already confirmed back in May it had a report from Co-op Group, which will no doubt be communicating directly with its members.
“In this new world, it’s not ‘if’ but ‘when’ a cyber-attack will happen. This is another reminder that it’s absolutely critical that businesses take legal, regulatory and best practice measures to build and maintain cyber resilience and have a clear plan in place for if the worst does happen.”
Co-op was one of three household name retailers, alongside Marks and Spencer and Harrods who were victims of cyber-attacks in spring this year.
M&S also had customer data stolen, and is still getting its systems back to normal after huge disruption which has cost it millions of pounds.
Last week, the National Crime Agency (NCA) said four people had been arrested in connection with the hacks on Co-op and M&S.
