The Co-operative Group has confirmed that personal data of all 6.5 million of its members in the UK was stolen during a sophisticated cyberattack earlier this year. The incident, which took place in April, impacted several IT systems and caused temporary disruptions across stores, including payment processing and inventory management systems.
While ransomware deployment was ultimately averted, hackers successfully exfiltrated customer information including names, addresses, and contact details. The breach did not halt operations entirely, but it did lead to partial outages that caused delays and empty shelves across Co-op locations.
Arrests made as part of ongoing investigation
UK law enforcement has arrested four individuals—three male teenagers and one female—in connection with this breach. Authorities believe these suspects may also be linked to intrusions at other high-profile retailers such as Marks & Spencer and Harrods. The National Crime Agency has pointed to weaknesses in remote access protocols and poor password hygiene as key vulnerabilities exploited by attackers.
In response to the breach, the Co-op has announced a strategic collaboration with The Hacking Games to nurture ethical hacking talent and reinforce its cybersecurity infrastructure. The move signals a shift toward proactive defence in the face of rising cyber threats to retail and supply chain businesses.
NCC Group considers sale of cybersecurity division
Separately, UK-based NCC Group has revealed that it is reviewing strategic options for its core cybersecurity business. This comes amid an ongoing process to divest its Escode unit, which offers software escrow and verification services.
Although no formal buyer has emerged and discussions remain at an early stage, the company is reportedly evaluating a range of possibilities—including a full sale of its cybersecurity unit. The announcement follows growing M&A interest in the cybersecurity sector, especially around specialised threat monitoring and managed security providers.
