The recent cyberattack on the Co-op Group has exposed personal information of potentially 20 million members, raising serious concerns over long-term Scam and Fraud Risks. Although the retailer initially claimed the breach had a “small impact” on operations, it later confirmed that a “significant” number of members’ data had been compromised. A hacking group, reportedly responsible for similar attacks on Marks & Spencer and Harrods, claimed to have stolen the personal data of 20 million individuals who had signed up for the Co-op’s membership program.
While the Co-op insisted that passwords, financial details, and transaction histories were not accessed, cybersecurity experts warn that even the basic personal information—such as names, addresses, phone numbers, and emails—can be a goldmine for scammers. Professor Alan Woodward, a leading authority from the Surrey Centre for Cyber Security, said this type of data is routinely sold on the dark web and can be exploited in phishing attempts, fraud, or social engineering schemes to extract more sensitive information from unsuspecting victims.
Experts Warn of Long-Term Fraud Potential on Scam and Fraud Risks
Professor Woodward emphasized that the danger isn’t always immediate. “Scammers use stolen data to build detailed profiles on individuals,” he explained, “which can then be used to commit serious fraud over time.” When combined with other leaked information—such as date of birth, National Insurance numbers, or bank details—these profiles can pass online identity checks, potentially enabling the opening of fraudulent accounts or applications for credit.
The Information Commissioner’s Office (ICO), which is working closely with the Co-op on the investigation, has urged members to take precautions. Individuals are advised to use strong, unique passwords, be cautious of suspicious emails and texts, and regularly monitor their financial accounts for unusual activity. Additionally, the UK’s Fraud Prevention Service offers protective registration to those concerned, requiring extra identity checks before credit can be issued in their name.
Despite the scale of the breach, Professor Woodward suggested that victims are unlikely to receive compensation unless they can prove direct financial loss. “The Supreme Court has ruled in similar cases that unless you suffer actual financial harm, legal recourse is limited,” he said.
Co-op Responds Amid Rising Cyber Threats of Scam and Fraud Risks
In response to the breach, the Co-op stated: “We appreciate that our members have placed their trust in our Co-op when providing information to us. Protecting the security of our members’ and customers’ data is a priority, and we are very sorry that this situation has arisen.” The company noted that it is working with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) to investigate the attack and has implemented further measures to defend against continued hacking attempts.
The Co-op’s statement also acknowledged the growing frequency and sophistication of cyberattacks against UK retailers. With DragonForce—a notorious hacking gang—taking responsibility for recent attacks on multiple major brands, the retail sector is under increasing pressure to reinforce cybersecurity protocols and protect consumer data from future breaches.
