MILLIONS of Co-op customers have been issued with an urgent warning after their private data was stolen in a cyber attack.
The Co-op has confirmed that personal details such as names, contact information and dates of birth of a “significant number” of its 6.2 million customers and past members have been compromised.
1
But the retailer said that members’ passwords, credit card details and transaction information were not leaked.
The Co-op also confirmed that “malicious” hacking attempts are still ongoing and it is still dealing with a “highly complex” situation.
In a message to Co-op members, Shirine Khoury-Haq, the chief executive of the group, warned members to “take the usual steps to keep their passwords safe”.
She said: “While we have been able to protect our Co-op from significant trading disruption, which is often the intent of these sorts of attacks, I am very sorry that this member information was accessed.
Read more on cyber attacks
“While there is no impact to your account, and you can continue to trade with us as normal, I appreciate that members will be concerned.”
The data breach came to light after hackers contacted the BBC with evidence they had stolen customer data.
The National Crime Agency and National Cyber Security Centre are investigating the situation.
The Co-op said it has implemented measures to minimise disruption for customers.
What do I need to do?
If your data has been breached then it is important that you act quickly to secure your account and take measures to stop yourself from becoming a victim of fraud.
You may be contacted by the Co-op to let you know that your data has been accessed.
Co-op statement on hack attack
“WE are continuing to experience sustained malicious attempts by hackers to access our systems. This is a highly complex situation, which we continue to investigate in conjunction with the NCSC and the NCA.
“We have implemented measures to ensure that we prevent unauthorised access to our systems whilst minimising disruption for our members, customers, colleagues and partners.
“As a result of ongoing forensic investigations, we now know that the hackers were able to access and extract data from one of our systems.
“The accessed data included information relating to a significant number of our current and past members.
“This data includes Co-op Group members’ personal data such as names, contact details and dates of birth, and did not include members’ passwords, bank or credit card details, transactions or information relating to any members’ or customers’ products or services with the Co-op Group.
“We appreciate that our members have placed their trust in our Co-op when providing information to us. Protecting the security of our members’ and customers’ data is a priority, and we are very sorry that this situation has arisen.”
The company may also tell you what types of sensitive information was stolen.
This could include your date of birth, full name, address, biometric data, password and passcodes.
The level of risk you face will depend on what type of data was stolen.
It is a good idea to update your password immediately.
Do not reuse a password from another account.
You should also set up two-factor authentication if you have not done so already.
This requires you to get a confirmation code via text message or email every time you log in, to prove it is you.
This makes it much harder for fraudsters to access your account.
Keep an eye out for phishing emails that claim to be from your bank or a government official.
These emails often try to con you into handing over more sensitive information or trick you into giving them access to your financial accounts.
Look out for messages urging you to act now or suggest that you will lose certain benefits or access to your account.
They may say things such as “this is your final chance to get a discount” or “act now to avoid losing access to your account”.
Do not click on attachments from companies or organisations you do not know.
Which other retailers have been hit by cyber attacks?
M&S revealed it had been hit by a major cyber attack on Monday, April 21.
Customers noticed that contactless payments were down and there was disruption to click and collect orders.
Timeline of cyber attack
- Saturday, April 19: Initial reports emerge on social media of problems with contactless payments and click-and-collect services at M&S stores across the UK. Customers experience difficulties collecting online purchases and returning items due to system issues.
- Monday, April 21: Problems with contactless payments and click-and-collect persist. M&S officially acknowledges the “cyber incident” in a statement to the London Stock Exchange. CEO Stuart Machin apologises for the disruption and confirms “minor, temporary changes” to store operations. M&S notifies the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) and engages external cybersecurity experts.
- Tuesday, April 22: Disruptions continue. M&S takes further systems offline as part of “proactive management”.
- Wednesday, April 23: Despite earlier claims of customer-facing systems returning to normal, M&S continues to adjust operations to maintain security. Contactless payments are initially restored, but other services, including click-and-collect, remain affected.
- Thursday, April 24: Contactless payments and click-and-collect services are still unavailable. Reports surface suggesting the attackers possibly gained access to data in February.
- Friday, April 25: M&S suspends all online and app orders in the UK and Ireland for clothing and food, although customers can still browse products. This decision leads to a 5% drop in M&S’s share price.
- Monday, April 28: M&S is still unable to process online orders. Around 200 agency workers at the main distribution centre are told to stay home.
- Tuesday, April 29: Information suggests that the hacker group Scattered Spider is likely behind the attack. Shoppers spot empty shelves in selected stores.
The supermarket was then forced to suspend all online orders through its website and app last Friday.
M&S said this was part of its “proactive management” of the situation and apologised to customers for the disruption.
Shoppers have also reported empty shelves and shortages of popular items including Percy Pig sweets, bananas and Colin the Caterpillar cakes.
Luxury department store Harrods has also been targeted by hackers.
A Harrods spokesperson said: “We recently experienced attempts to gain unauthorised access to some of our systems.
“Our seasoned IT security team immediately took proactive steps to keep systems safe, and as a result, we have restricted internet access at our sites today.”
It said its stores and website were operating as normal and customers should not do anything differently.
An infamous criminal gang called “Scattered Spider” is thought to be behind all of the cyber attacks.
These types of attacks are designed to steal information or access in exchange for a sum of money.
Do you have a money problem that needs sorting? Get in touch by emailing money-sm@news.co.uk.
Plus, you can join our Sun Money Chats and Tips Facebook group to share your tips and stories
