Cybercriminal group DragonForce has told BBC News their hack of Co-op is far worse than the company initially disclosed. The hackers provided evidence that they infiltrated Co-op’s IT networks, stealing substantial amounts of customer and employee data.
Co-op had previously downplayed the breach, stating it had minimal impact on operations and assuring that customer data wasn’t compromised. However, the hackers claim to have data on 20 million people from Co-op’s membership program, though the company hasn’t confirmed this.
DragonForce also claims responsibility for attacks on M&S and an attempted hack of Harrods. The government has urged companies to prioritize cybersecurity following these incidents.
The hackers shared evidence of messages sent to Co-op’s cybersecurity head in April, claiming to have accessed customer and member data. Co-op staff were instructed to keep cameras on during Teams meetings and verify participants, likely due to the hackers’ access to internal communications.
DragonForce provided a sample of 10,000 customers’ personal data, including names, addresses, and phone numbers. Co-op confirmed the breach but stated no sensitive financial information was exposed.
The hackers are demanding a ransom and want the BBC to report on the attack. DragonForce, known for encrypting data and extorting victims, operates an affiliate service for others to carry out cyberattacks.
Co-op is working with the National Cyber Security Centre and the National Crime Agency and has expressed regret over the situation.
