The Co-op has apologised after hackers accessed and extracted data relating to a “significant number” of its customers from one of its systems.
The group, which owns more than 2,000 grocery stores and more than 800 funeral parlours and offers legal and financial services, said hackers had been able to access personal data including names and contact details relating to an undisclosed number of the mutual’s current and past members – of which there are more than 6.2 million.
The Co-op was forced to shut down parts of its IT system on Wednesday after discovering an attempted hack days after Marks & Spencer faced a serious cyber-incident.
It said the hackers had not been able to access passwords or financial information such as bank or credit card details, transactions or information relating to any members’ or customers’ products or services with the Co-op Group.
However, in a message to Co-op members, Shirine Khoury-Haq, the chief executive of the group, recommended that members “take the usual steps to keep their passwords safe”.
“While we have been able to protect our Co-op from significant trading disruption, which is often the intent of these sorts of attacks, I am very sorry that this member information was accessed,” she wrote.
“While there is no impact to your account, and you can continue to trade with us as normal, I appreciate that members will be concerned.”
The National Cyber Security Centre and the National Crime Agency are assisting with the investigation, the company said.
A Co-op spokesperson said: “We are continuing to experience sustained malicious attempts by hackers to access our systems. This is a highly complex situation, which we continue to investigate in conjunction with the NCSC and the NCA.
“We have implemented measures to ensure that we prevent unauthorised access to our systems whilst minimising disruption for our members, customers, colleagues and partners.
“We now know that the hackers were able to access and extract data from one of our systems. The accessed data included information relating to a significant number of our current and past members.
“This data includes Co-op Group members’ personal data such as names and contact details, and did not include members’ passwords, bank or credit card details, transactions or information relating to any members’ or customers’ products or services with the Co-op Group.
“We appreciate that our members have placed their trust in our Co-op when providing information to us. Protecting the security of our members’ and customers’ data is a priority, and we are very sorry that this situation has arisen.”
The leak of data from the Co-op emerged after the data protection regulator said it was “making inquiries” with the Co-op and Marks & Spencer. It is understood that M&S customer data has not been accessed.
Stephen Bonner, deputy commissioner of the Information Commissioner’s Office said: “We recognise that seeing cyber-attacks in the news can be concerning, especially if you are a customer.
“If you are worried about your personal information, you can visit our website for advice and support. Make sure your accounts are protected by a strong password and that you are not using the same password across multiple accounts.
“We also advise checking regularly for updates from the organisation and following their advice if they confirm that your personal information has been impacted by a cyber-attack.”
