The Co-op Group, one of the UK’s largest supermarket and insurance chains, has confirmed that hackers stole personal data belonging to approximately 6.5 million members during a cyberattack carried out in April 2026. The attackers — affiliates of the DragonForce ransomware gang — broke in after tricking an employee into resetting their password through a social engineering call. Once inside, they stole a core Windows security file that contains password hashes for employee accounts across the entire organisation.
The stolen data includes names, contact details, and membership records from Co-op’s loyalty rewards programme. Co-op says no payment card details or bank account information were taken, but the personal data exposed is still enough to fuel convincing phishing scams and identity fraud. UK police have arrested four people in connection with this attack and related ones on Marks & Spencer and Harrods — but the data is already out.
How to check if you’re affected
Affected products include the Co-op Membership App, Co-op membership cards, and any account registered through the Co-op membership rewards scheme. If you signed up for a Co-op membership at any point, assume your name and contact details may be in this dataset.
- Change your Co-op password if you have an online account, and use a unique password you don’t use anywhere else.
- Watch for phishing emails that pretend to be from Co-op, especially ones asking you to click links, verify your details, or claim a reward.
- Check your email inbox for any unusual messages referencing your Co-op membership.
- Co-op says they will contact affected members directly — treat any such contact cautiously and visit coop.co.uk directly rather than clicking links in emails.