A significant cyber attack has recently caused widespread disruption to Co-op stores across the nation, impacting card payments and product availability. The attack, which began in late April 2025, has affected various aspects of the retailer's operations, from in-store payment systems to supply chain logistics.

The initial signs of the attack manifested as issues with contactless card payments, with some stores displaying "cash only" signs as their card machines went offline. Contactless payments were also affected in some locations. Simultaneously, customers reported empty shelves and reduced product availability, indicating a disruption to Co-op's supply chain. The retailer has since acknowledged that the attack necessitated the temporary shutdown of certain elements of their supply chain and logistics operations. Co-op issued a warning to its suppliers, advising them not to send deliveries to Co-op depots without a direct go-ahead.

The Co-op first revealed they had shut down parts of its IT estate, having “recently experienced attempts to gain unauthorised access to some of our systems”. At the time it said the damage was limited to “a small impact to some of our back office and call centre services”. Days later, as it experienced “sustained malicious attempts by hackers”, the retailer said the hackers had been able to access data from one of its systems associated with current and past members.

The attackers, identified as the DragonForce group, claimed to have stolen a substantial amount of customer and employee data. While Co-op has confirmed that customer names, contact details, and dates of birth were accessed, they assured that no bank details, transaction information, or passwords were compromised. However, the cyber criminals allege they possess the private information of 20 million Co-op members, a figure the company has not confirmed. Screenshots of extortion messages sent to Co-op's head of cyber security, including claims of exfiltrated customer databases and member card data, have been shared with the BBC.

The cyber attack on Co-op is part of a recent wave of attacks targeting UK retailers, including Marks & Spencer (M&S) and Harrods. Technology publication BleepingComputer reported that the attacks on M&S and Co-op began with hackers impersonating employees and convincing help desks to reset passwords. The CEO of the National Cyber Security Centre (NCSC) has described these attacks as a "wake-up call to all organisations".

Co-op has taken proactive steps to manage the attack, including shutting down some of its systems to protect the organization. This decision, while disruptive in the short term, was a measure to prevent the hackers from inflicting further damage, such as deploying ransomware. The retailer is working with the NCSC and the National Crime Agency (NCA) to investigate the incident and restore normal operations.

The incident has prompted a wider discussion about cybersecurity preparedness in the retail sector. The Chair of the Business and Trade Select Committee has written to the CEOs of M&S and Co-op, seeking reassurance that the incidents are being managed effectively. Experts recommend that retailers strengthen their cyber defenses, given the increasing frequency and scale of data breaches. Some security experts say the tactics seen are similar to that of a loosely coordinated group of hackers who have been called Scattered Spider or Octo Tempest.

The Co-op has apologized to its customers and members for the disruption caused by the cyber attack. The retailer is working to minimize the impact on its services and resume normal deliveries as quickly as possible.