The cyberattack carried out against well known high street chain, the Co-op, seems to be worse than first reported.

Last week the the mutual had admitted that it had to shutdown parts of its IT systems, including those running stores and its legal services division. The stock monitoring system was also understood to be one of those systems affected.

The Co-op owns more than 2,000 grocery stores and over 800 funeral parlours in the UK, as well as legal and financial services businesses. But now it has admitted that member data has also been compromised.

Member data

In an update last Friday, the mutual said it is “continuing to experience sustained malicious attempts by hackers to access our systems. This is a highly complex situation, which we continue to investigate in conjunction with the NCSC and the NCA.”

“We have implemented measures to ensure that we prevent unauthorised access to our systems whilst minimising disruption for our members, customers, colleagues and partners,” it stated. “As a result of ongoing forensic investigations, we now know that the hackers were able to access and extract data from one of our systems.”

“The accessed data included information relating to a significant number of our current and past members,” it admitted. “This data includes Co-op Group members’ personal data such as names and contact details, and did not include members’ passwords, bank or credit card details, transactions or information relating to any members’ or customers’ products or services with the Co-op Group.”

“We appreciate that our members have placed their trust in our Co-op when providing information to us,” it concluded. “Protecting the security of our members’ and customers’ data is a priority, and we are very sorry that this situation has arisen.”

CEO update

Meanwhile the Co-Op CEO, Shirine Khoury-Haq, also provided an update, in which she admitted that the “criminals that are perpetrating these attacks are highly sophisticated.”

Khoury-Haq said that Co-Op It staff are “working tirelessly to do three things: (1) protect and defend our Co-op, (2) fully understand the extent of the impact caused by the attack and (3) provide much needed information to the authorities that may help them with their investigations.”

She said that actively managing the severity of the attack meant shutting down some of IT systems to protect the organisation.

“As previously communicated, we have established that the cyber criminals were able to access a limited amount of member data,” said Khoury-Haq.

“This is obviously extremely distressing for our colleagues and members, and I am very sorry this happened,” she added. “We recognise the importance of data protection and take our obligations to you and our regulators seriously, particularly as a member-owned organisation.”

Retailer attacks

Earlier this week GCHQ’s National Cyber Security Centre (NCSC) had warned that British organisations should tighten up their cyber defences after a series of high profile cyberattacks against well known high street retailers.

The first UK retailer to be hit was was Marks & Spencer (M&S), after it apologised and stopped taking online and app orders following a cyberattack.

Indeed, so severe is the cyberattack impact on M&S, that it had instructed agency staff at its central England distribution centre near Derby to stay at home.

Then it emerged that the Co-op had suffered a cyberattack.

Shortly after Harrods, a globally recognised purveyor of luxury items, became the third major UK retailer to confirm an attempted cyberattack on its systems in under two weeks.