Co-op confirms attackers obtained large amount of customer data

Following the announcement last week that the Co-op had had to shut down part of its IT systems after it discovered a serious cyber-incident, the British retailer has apologised after attackers accessed and exfiltrated personal data of a "significant" number of its customers. In gaining access to one of its systems, hackers have gained access to the names and contact information relating to an undisclosed number of individuals' data, potentially totalling 6.2 million people. The Co-op confirmed that customer passwords, financial information and transaction data remained unaffected and protected. 

In a statement, Stephen Bonner, Deputy Commissioner at the Information Commissioner's Office (ICO), confirmed that the regulator had received reports from the Co-op and Marks & Spencer and is making further enquiries.  

Meanwhile, a statement by Dr Richard Horne, CEO of the National Cyber Security Centre (NCSC), said: "The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers and the public.

"The NCSC continues to work closely with organisations that have reported incidents to us to fully understand the nature of these attacks and to provide expert advice to the wider sector based on the threat picture.

"These incidents should act as a wake-up call to all organisations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively."

A related article in the Financial Times (£) suggests that a collective of young men known as Scattered Spider could be responsible for the three incidents. 

Elsewhere, the article highlights that retailers "generally don't prioritise cyber security in the same way the regulated industries do, and there are more opportunities to target companies in retail and hospitality, manufacturing, and healthcare." The article also references the statistics from the ICO in 2023, revealing that 18% of breaches came from the retail sector.

£ - The Financial Times article requires a subscription.