Co-op Cyber Attack: £206m Cost, Data Breach & Updates

When 6.5 million Co-op members woke up to news their personal details had been stolen, it marked one of the most significant retail data breaches in recent UK history. The attack exposed names, addresses, phone numbers, and dates of birth belonging to members—though passwords and bank details remained secure.

Sales loss: £206m · Profit hit: £80m · Members affected: 6.5 million · Arrests made: 4 · Attack date: April 2024

Key figures from the incident provide a financial snapshot of the breach’s scale.

Has Co-op been hacked?

Yes. Co-op suffered a malicious cyber-attack in April 2024 that compromised data belonging to 6.5 million current and past members. The breach exposed names, addresses, email addresses, phone numbers, membership details, and dates of birth. Co-op initially stated there was “no evidence that customer data was compromised,” but later confirmed threat actors had accessed member information when DragonForce ransomware group contacted the BBC in May 2024 with proof of the stolen data.

Attack details

DragonForce ransomware-as-a-service was used to compromise Microsoft Teams and Windows Active Directory, according to cybersecurity analysis from The Small Business Cybersecurity Guy. Hackers shared screenshots of their first extortion message via Microsoft Teams on 25 April 2024. Co-op avoided a full ransomware lockdown by immediately disconnecting its networks—a move that limited encryption damage but didn’t prevent data theft.

Data stolen

The stolen information included names, addresses, email addresses, phone numbers, membership details, and dates of birth, according to Security Affairs. Critically, passwords, bank details, credit card details, and transaction information were not extracted. DragonForce claimed to have private information of 20 million people who signed up to Co-op’s membership scheme, though Co-op confirmed the actual breach affected 6.5 million members. The same threat actors also claimed responsibility for the M&S attack and told the BBC they attempted to hack Harrods.

Official confirmation

Co-op officially confirmed the breach in July 2024 after weeks of initially declaring there was “no evidence that customer data was compromised.” A Co-op spokesperson promised ongoing updates through their dedicated cyber incident page. The Cyber Monitoring Centre subsequently labeled the attacks on M&S and Co-op as a Category 2 systemic event in June 2024, estimating combined losses between £270 million and £440 million.

What did the Co-op cyber attack cost?

The financial toll has been substantial and multi-layered. Co-op reported £206 million in lost sales and an £80 million hit to profits, with direct incident costs totaling £20 million for IT restoration, forensic investigation, and incident response. The retailer offered £10 discount vouchers to all 6.5 million affected members, which could reach £65 million if every member claimed. Sales declined 2% over the 12 weeks following the incident.

Sales impact

Total sales impact reached £206 million (approximately $275 million USD), with a 2% decline over the 12 weeks post-incident, according to Security Affairs. Co-op’s cost per affected customer was £12, remarkably lower than comparable breaches—TalkTalk’s 2015 breach cost £382–489 per customer, while Tesco Bank paid £525 per affected account in 2016.

Profit loss

The £80 million earnings impact figure was confirmed by Co-op in September 2024. Direct incident costs added another £20 million for IT restoration, forensic investigation, and incident response. Co-op did not have cyber insurance coverage for ransomware attacks, leaving the company to absorb these costs directly.

Broader effects

Industry analysts estimate potential ICO (Information Commissioner’s Office) fines of £15–20 million based on breach scale and precedents. The ICO can fine up to £17.5 million or 4% of worldwide turnover, whichever is higher. Multiple class-action lawsuits are currently in progress against Co-op, and at the lower end of GDPR compensation (£50 per person), Co-op faces potential £325 million in member compensation exposure. Co-op’s final bill could reach £400–500 million once all costs, compensation, and fines are settled.

Is the Co-op back to normal after a cyber attack?

Co-op announced a return to normal trading following the cyber-attack, with the retailer restoring systems and resuming regular operations. The company credited colleagues for their response during the incident and committed to ongoing updates through official channels. However, the legal and financial fallout continues, with class-action lawsuits and regulatory investigations still pending.

Recovery timeline

The path to recovery involved immediate network disconnection to prevent ransomware spread, followed by weeks of system restoration and forensic investigation. Direct incident costs totaled £20 million for IT restoration, forensic investigation, and incident response. The UK National Cyber Security Centre classified the attacks alongside the M&S breach as a coordinated campaign by the DragonForce ransomware group.

Return to trading

Co-op confirmed return to normal trading and committed to providing regular updates through their dedicated cyber incident page. A Co-op spokesperson stated the company would continue updating affected members as more information became available. The retailer also offered £10 discount vouchers to all 6.5 million affected members as a goodwill gesture, though this required a minimum £40 spend to redeem.

Ongoing updates

The recovery narrative remains incomplete. Class-action lawsuits continue to work through courts, the ICO investigation proceeds, and the four arrested suspects aged 17–20 face charges including Computer Misuse Act offences, blackmail, money laundering, and participation in organized crime. Electronic devices were seized from all suspects for digital forensic analysis.

Can I claim for Co-op data breach?

Yes—if you were a Co-op member whose data was compromised, you may be eligible for compensation under UK GDPR and data protection law. Multiple class-action lawsuits are already in progress, and individual claims for data breach compensation typically range from £25–£150 per person for basic breaches, according to Legal Expert. To pursue a claim, you must demonstrate that failings by the data controller (Co-op) caused the breach.

Eligibility check

If you were a current or past Co-op member at the time of the April 2024 breach, your personal data was likely exposed. Co-op confirmed that threat actors accessed data belonging to current and past members. At the lower end of GDPR compensation (£50 per person), Co-op faces potential £325 million in member compensation exposure if all 6.5 million members claim.

Compensation process

Data breach compensation can include material damage (financial losses) and non-material damage (psychiatric injuries). Under Legal Expert guidance, severe psychiatric injury compensation ranges from £54,830 to £115,730 under Judicial College Guidelines. Multiple law firms are already pursuing ClassAction lawsuits against Co-op on behalf of affected members, with no-win no-fee arrangements available.

GDPR claims

Under UK GDPR, you have the right to claim compensation if you suffered harm due to a data breach caused by the data controller’s failures. Co-op initially told members there was “no evidence” their data was compromised—later proven incorrect—which may strengthen arguments around delayed notification and compounded distress. Compensation can include moderate PTSD claims ranging from £8,180 to £23,150, with less severe cases receiving £3,950 to £8,180.

What to do after Co-op cyber attack?

If you were a Co-op member, take immediate steps to protect yourself: check whether your data was exposed, monitor for suspicious activity, and be alert to phishing attempts. Consider joining a compensation claim through a reputable legal service, but verify the firm is legitimate before sharing any personal information.

Check if affected

Co-op has notified affected members directly. If you received a notification from Co-op about the breach, your data was likely among the stolen information. If you’re unsure whether you were affected, monitor your email for communications from Co-op’s official channels. The retailer committed to updating members through their cyber incident page.

Signs of hack

Watch for: unexpected passwords or security alerts on accounts linked to your Co-op membership details; phishing emails using your name, address, or phone number; unfamiliar login attempts on accounts using your email; and any suspicious financial activity. While passwords and bank details were not stolen in this breach, scammers may use the personal information to craft convincing phishing attempts.

Next steps

Change passwords on accounts using the same email or phone number exposed in the breach. Enable two-factor authentication where available. Document any suspicious contacts for potential legal evidence. Consider joining an established ClassAction lawsuit rather than filing individually—group claims reduce legal costs and increase collective bargaining power. Report phishing attempts to the National Cyber Security Centre’s reporting service.

Timeline of events

The Co-op cyber attack unfolded over several months, with key developments from initial breach through law enforcement action.

What experts are saying

The four arrested individuals faced charges of Computer Misuse Act offences, blackmail, money laundering, and participation in organized crime. Electronic devices were seized from all four suspects for digital forensic analysis. One suspect is Latvian, with arrests occurring in London and West Midlands.— Security Affairs (Cybersecurity news outlet)

Co-op’s cost per affected customer was £12, compared to TalkTalk’s 2015 breach at £382–489 per customer. This relatively low per-customer cost reflects Co-op’s quick network disconnection that prevented full ransomware encryption.— The Small Business Cybersecurity Guy (Cybersecurity industry analyst)

The Co-op breach reveals a troubling reality for UK retailers: even well-resourced organizations remain vulnerable to sophisticated ransomware groups. DragonForce’s ability to simultaneously target Co-op, M&S, and attempt Harrods demonstrates the coordinated nature of modern cyber threats. The contrast between Co-op’s swift technical response (disconnecting networks within hours) and its delayed public acknowledgment (weeks of “no evidence” statements) illustrates how operational security and corporate communication don’t always align.

For UK consumers, the lesson is structural rather than personal: no amount of password hygiene protects you when the organization holding your data is breached. The ClassAction route offers collective recourse, but the legal process spans years—meaning affected members face immediate fraud risk while waiting for resolution.