UK Grocer Co-op Says Hackers Obtained Customer Data

The UK supermarket chain Co-op said hackers were able to access and extract customer data from one of its systems during a recent cyberattack.

“The accessed data included information relating to a significant number of our current and past members,” the company said in a statement Friday. “This data includes Co-op Group members’ personal data such as names and contact details, and did not include members’ passwords, bank or credit card details, transactions or information relating to any members’ or customers’ products or services with the Co-op Group.”

The statement cames as a cybercrime gang took credit a disruptive campaign of attacks targeting Co-op and at least two other British retailers over the last two weeks.

A spokesperson for the gang, known as “DragonForce,” said in an interview with Bloomberg News that it and its partners were behind incidents targeting Marks & Spencer, Co-op and Harrods.

The group’s motivation was to extort money from their victims, the spokesperson said. They also claimed to have stolen customer data. The admission is the first confirmation the attacks were linked and carried out by the same group.

Marks & Spencer first announced it had been targeted in a “cyber incident” on April 22. Some of the company’s systems were infected with DragonForce’s ransomware, which encrypts files stored on computers so they cannot be used, Bloomberg News previously reported.

In the aftermath of the attack, M&S stopped accepting contactless payments and shut down online orders. Transactions have yet to resume. There have also been reports of gaps on shelves as the company struggles with availability for some items.

In a post on X Friday, M&S Chief Executive Officer Stuart Machin apologized for the disruption, saying the company is working “day and night” to resolve the issue.

On April 30, British supermarket chain Co-op said it had detected attempts to gain unauthorized access to some of its systems, which it said had a “small impact” on some back office and call center services. On Friday, the retailer said it was investigating along with Uk authorities. “We are continuing to experience sustained malicious attempts by hackers to access our systems,” Co-op said, in a statement. “This is a highly complex situation.”

That was followed on May 1 by a statement from London’s luxury department store Harrods Ltd. disclosing that it had suffered attempts to compromise its systems. The company said it had restricted internet access at its sites in response.

Neither Marks & Spencer, Harrods nor Co-op immediately responded to requests for comment on the DragonForce claims.

The creators of DragonForce, whose identities aren’t known, operate like a criminal cartel, leasing out their malicious software and infrastructure to other hackers while taking a cut of any proceeds earned through extortion, experts say.

Hackers working with DragonForce claimed more than 90 victims last year and targeted companies across various industries, including health care, manufacturing and telecommunications, according to Broadcom’s cybersecurity unit Symantec. The attacks spanned more than a dozen countries across North America, Europe, the Middle East and Asia, according to cyber experts.

The DragonForce spokesperson declined to comment on whether they were negotiating with the British retailers. They said that they typically expect their victims to pay ransom payments that have seven zeros, possibly six. “Our job is not to destroy, we just take some money and walk away,” they said.

The gang claimed it was in the process of harvesting a large trove of data, amounting to terabytes, that it had stolen from the British companies, and suggested that it would release it online if its demands for payment are not met.

The group added that it planned more attacks on the UK’s retail sector, saying the recent breaches were “just a start.”

Some cybersecurity experts have said the attacks bore the hallmarks of a hacking group known as Scattered Spider, whose previous targets included MGM Resorts International and Caesars Entertainment Inc.

It’s possible Scattered Spider is working with DragonForce and using its ransomware, according to John Hultquist, chief analyst at Google Threat Intelligence Group. Scattered Spider has a history “of going one by one through a sector,” Hultquist said, “so the peers of the companies that have been targeted need to really batten down the hatches. The threat is imminent.”

Asked about a cooperation with Scattered Spider, DragonForce’s spokesperson said they didn’t know the identities of the hackers it worked with.

Photograph: A customer uses their phone to pay inside a Marks & Spencer Group Plc (M&S) food store at Fenchurch station in London, UK, on Thursday, May 1, 2025. Photo credit: Chris Ratcliffe/Bloomberg