Co-op confirms data breach exposed sensitive customer information

UK-based retail chain Co-op said the data security incident it suffered recently compromised the sensitive personal information of its customers.

 

Last week, a Co-op spokesperson revealed that the company was targeted by an attempted network intrusion where an unauthorised third party tried to breach the network with malicious intent.

 

“We have recently experienced attempts to gain unauthorised access to some of our systems. As a result, we have taken proactive steps to keep our systems safe, which has resulted in a small impact on some of our back office and call center services,” the spokesperson said.

 

The company spokesperson added that while the attempted network intrusion caused some disruption to its services, Co-op stores, its quick commerce operations, and funeral homes are operating as usual.

 

Recently, the BBC reported that a member of the “DragonForce” hacking group contacted the media house and claimed responsibility for the cyber attack on Co-op. The group added that it is also responsible for the recent attack on M&S.

 

According to BleepingComputer, the group breached Co-op’s internal network on April 22 and stole the Windows domain’s NTDS.dit file, a method also used in the M&S breach.

 

An NTDS.dit file serves as the central database for Active Directory, storing essential information that powers authentication and authorisation throughout the company’s network. This file also contains password hashes for Windows accounts, which, if extracted by threat actors, can be used to gain access to associated plain-text passwords.

 

Acknowledging the claims of the hacker group, in a statement shared with the media, a Co-op spokesperson said, “As a result of ongoing forensic investigations, we now know that the hackers were able to access and extract data from one of our systems.

 

“The accessed data included information relating to a significant number of our current and past members.

 

“This data includes Co-op Group members’ personal data such as names and contact details, and did not include members’ passwords, bank or credit card details, transactions or information relating to any members’ or customers’ products or services with the Co-op Group,” the spokesperson added.