Cyber correspondent, World Service
Technology reporter
The chief executive of Co-op has confirmed that all 6.5 million of its members had their data stolen in a cyber-attack on the retailer in April.
“I’m devastated that information was taken. I’m also devastated by the impact that it took on our colleagues as well as they tried to contain all of this,” Shirine Khoury-Haq told Breakfast in her first public interview since the hack.
“There was no financial data, no transaction data but it was names and addresses and contact information that was lost,” she added.
Ms Khoury-Haq said that she was “incredibly sorry” for the attack and that it was “personal” to her because of the impact that it had on her colleagues.
“Early on I met with our IT staff and they were in the midst of it. I will never forget the looks on their faces, trying to fight off these criminals,” she said.
The hackers were removed from the systems but “could not erase what they did so we could monitor every mouse click,” and Co-op was able to send that information to authorities.
But she added: “We know a lot of that information is out there anyway, but people will be worried and all members should be concerned.”
Co-op runs on a membership scheme, where members are paid a share of the profits of the co-operative.
“It hurt my members, they took their data and it hurt our customers and that I do take personally,” Ms Khoury-Haq said.
Co-op has not put a figure on how much the hack will cost them, but it says it is still working to restore back-end systems.
One of its responses to the hack is to partner with a cyber-security recruitment company.
The Hacking Games identifies young talent to channel their skills into legal careers.
“The research shows that if you offer these kids talent development opportunities and career opportunities, the vast majority of them will take the legitimate pathway,” said its chief executive Fergus Hay.
It is planning a pilot programme with Co-op Academies Trust, which runs 38 schools in England.
What happened in the cyber-attacks?
Co-op was one of three retailers, alongside Marks and Spencer (M&S) and Harrods who were victims of cyber-attacks in spring this year.
Co-op announced on 30 April that it had been hacked, initially saying it would only have a “small impact” on its call centre and back office.
But days later, after being contacted by the alleged hackers, News revealed that customer and employee data had been accessed.
Co-op then admitted the criminals had “accessed data relating to a significant number of our current and past members”.
News later discovered from the alleged attackers that the company disconnected the internet from IT networks in the nick of time to stop the hackers from deploying ransomware and so causing even more disruption.
M&S also had customer data stolen, and is still getting its systems back to normal after huge disruption which has cost it millions of pounds.
Last week, the National Crime Agency (NCA) said four people had been arrested in connection with the hacks on Co-op and M&S
These were a 20-year-old woman who was arrested in Staffordshire, and three males – aged between 17 and 19 – who were detained in London and the West Midlands.
They were apprehended on suspicion of Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group.
Additional reporting by Charlotte Edwards.
