The Co-operative Group’s supermarket chain was hit by a significant cyber-attack that disrupted operations across its UK retail network, compromising data and affecting supply. April’s cyber-attack, one of the most serious on a UK retailer in recent years, has raised fresh concerns about data protection and the vulnerabilities of critical infrastructure within businesses.
Reporters, including cyber-crime correspondents, have been contacted by the suspected hackers, who claim they used Ransomware called DragonForce, which operates an affiliate cyber-crime service that allows anyone to use their software and website to carry out attacks and extortions. While it has not been confirmed who is using the service to attack the retailers, some security experts say they are familiar with the tactics used by a particular group of hackers.
The breach targeted the Co-op’s internal IT systems, prompting a swift response from the company, who shut down parts of its infrastructure to contain the threat. This action, while essential for damage control, led to operational setbacks across its food retail division. This meant staff were unable to view inventory in real time, severely hindering their ability to manage stock and fulfil orders. The result was empty shelves in many branches, particularly in rural or remote areas.
The effects on the Co-op’s online systems were also devastating. Online grocery ordering was disabled in some areas as an extra security measure.
As well as the operational disruption, the breach raised serious concerns about the security of customer and employee data. In an official statement, the Co-op acknowledged that members’ personal information had been accessed, including names, email addresses, phone numbers, residential addresses, and dates of birth. However, the company was quick to state they did not believe payment card data or passwords had been compromised.
Nevertheless, the potential misuse of the accessed personal data is still a serious concern. Personal information can be used in phishing campaigns or identity fraud, particularly when combined with order data already available on the dark web. The Co-op has advised customers to remain vigilant for suspicious emails, texts or calls and to report any suspected phishing attempts. They have also reminded customers to never provide passwords or financial information in response to unsolicited communications.
In response to the incident, the Co-op has launched a full investigation with the National Cyber Security Centre (NCSC) and the National Crime Agency. The Information Commissioner’s Office has also been notified, as is legally required under the UK’s General Data Protection Regulation (GDPR) for serious data breaches. Investigations into the full scale of the breach are ongoing, and more details should emerge in the coming weeks as forensic teams analyse the compromised systems and identify any residual risks.
The attack on the Co-op is not an isolated incident. It is part of a concerning trend that has seen an increase in cyber-attacks targeting major UK retailers. Marks & Spencer (M&S) and Harrods have also recently reported incidents. In M&S’s case, a similar data breach involved the theft of personal customer information and resulted in them shutting down parts of the infrastructure.
As the nature of retail becomes increasingly digital due to online shopping, loyalty schemes, digital wallets and more, the potential fallout from cyber-incidents becomes even greater.
NCSC CEO Richard Horne said in a statement: “These incidents should act as a wake-up call to all organisations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively.”
What makes the Co-op breach particularly significant is its scale and nature. Unlike some cyber-attacks that go unnoticed by the public, this incident had visible and immediate consequences for shoppers and employees. Store shelves were unstocked, deliveries were delayed or cancelled, and staff were left unable to perform basic operational tasks. Additionally, customers had to navigate uncertainty about if their personal data was stolen, while seeking information about the breach that is not readily available.
What are my rights if I’ve been affected by the data breach?
From a legal standpoint, if your personal data has been compromised, you could be eligible to claim compensation from the organisation that suffered the cyber-attack, particularly if there has been any negligence in data handling or a failure to adequately protect personal information.
Regardless of the findings from investigations, GDPR gives you the right to claim compensation as a result of the organisation failing to adhere to data protection laws. This includes “material damage” (financial loss) or “non-material damage” (e.g. you have suffered distress).
At Barings Law, we specialise in handling data breach claims for those who have had had their personal data exposed in cyber-attacks. We are closely monitoring the Co-op’s situation and how customers and employees have been affected.
At Barings Law, your legal concerns are our top priority. Whether you need guidance on a complex legal matter or have questions about our services, our team is ready to assist you.
Copyright © 2024 Barings Law.
All rights reserved.
