Co-op has confirmed that the personal details of all 6.5 million of its members were stolen in a cyberattack earlier this year. For the first time since the Co-op cyberattack, Co-op’s CEO Shirine Khoury-Haq told BBC Breakfast that she was deeply sorry for what happened and how it affected both customers and staff.
She said she was devastated that member information had been taken, and equally concerned about the toll the breach took on employees who worked to contain the attack.
The cyberattack on Co-op, which occurred in April, compromised names, addresses, and contact details of members. While no financial or transactional data was accessed, Khoury-Haq acknowledged that the breach had caused concern among members and staff alike.
She noted that although payment data was not affected in Co-op cyberattack, the exposure of personal information was still significant.
Emotional Toll on Staff and CEO
During her interview, Khoury-Haq revealed the personal impact of the Co-op cyberattack, especially after witnessing the pressure and urgency faced by the company’s IT team.
“Early on I met with our IT staff and they were in the midst of it. I will never forget the looks on their faces, trying to fight off these criminals,” she said. While the hackers were removed from Co-op’s systems, their digital footprints remained, allowing the company to monitor all activities and report them to the authorities.
“We know a lot of that information is out there anyway, but people will be worried and all members should be concerned.”
The Co-op CEO emphasized that the membership structure of the organization, where members share in the company’s profits, made the attack especially personal. “It hurt my members, they took their data and it hurt our customers and that I do take personally,” she said.
Arrests Made, Suspects Out on Bail
The cyberattack on Co-op was one of several coordinated attacks also targeting Marks & Spencer (M&S) and Harrods earlier this year. On July 10, 2025, the UK’s National Crime Agency (NCA) announced the arrest of four individuals suspected of orchestrating these cyberattacks.
The suspects include:
- A 17-year-old British male from the West Midlands
- A 19-year-old Latvian male, also from the West Midlands
- A 19-year-old British male from London
- A 20-year-old British female from Staffordshire
All four were arrested at their home addresses on suspicion of blackmail, money laundering, offenses under the Computer Misuse Act, and participating in the activities of an organized crime group.
They have since been released on bail as investigations continue. Police also seized various electronic devices from their homes as part of the evidence collection process.
Ongoing Recovery and New Cybersecurity Initiatives
Co-op has not yet disclosed the financial impact of the data breach but confirmed that it is still working to restore back-end systems affected by the incident. In response to the Co-op cyberattack, the retailer is launching a partnership with The Hacking Games, a cybersecurity recruitment organization that seeks to steer young talent toward ethical hacking careers.
As part of this initiative, Co-op is planning a pilot program with the Co-op Academies Trust, which oversees 38 schools across England, aiming to build interest and skillsets in cybersecurity at an early age.
Timeline and Scope of the Co-op Cyberattack
The Co-op cyberattack was first acknowledged by the company on April 30, when the company reported a attack affecting its call center and back-office operations. However, within days, the full extent of the incident became clear.
Co-op later confirmed that hackers had gained access to information related to both current and former members. Reports indicate that the company managed to prevent further damage by quickly disconnecting internet access from internal networks, thereby stopping the hackers from deploying ransomware that could have escalated the disruption.
LVMH Hit by Multiple Cyberattacks
The Co-op incident is part of a growing trend in cyberattacks against well-known brands. According to The Cyber Express, luxury retailer Louis Vuitton, under parent company LVMH, has also suffered repeated cyberattacks in recent months.
The most recent LVMH cyberattack occurred on July 2, 2025, following earlier breaches at Christian Dior Couture and Louis Vuitton Korea. In each case, personal data such as names, contact details, and purchase histories were accessed. However, LVMH stated that no financial or payment data was compromised.
“Louis Vuitton recently discovered an unauthorized party had accessed some of the data it holds for its clients. We immediately began taking steps to investigate and contain this incident, supported by leading cybersecurity experts,” a company spokesperson told The Cyber Express.
The company has since notified the UK Information Commissioner’s Office and is contacting affected customers in compliance with data protection laws.
Conclusion
The back-to-back attacks on Co-op, M&S, Harrods, and LVMH underline the increasing frequency and impact of cyber threats across sectors. With sensitive data often targeted, even when financial information remains secure, businesses are being forced to reassess their security postures.
Co-op’s decision to engage with cybersecurity education initiatives signals a forward-looking approach that goes beyond damage control. It reflects a shift towards preparing the next generation to work on the right side of digital defense.
