A cybergang have boasted that they stole 20million Co-op customers’ data as it is revealed the hack is more serious than the retailer admitted.
The criminals, calling themselves DragonForce, said it had infiltrated the supermarket chain’s IT network and stolen both customer and employee data, including contact details, in its cyberattack on Wednesday.
But the group have claimed that the breach was far more serious than what the company had told the public.
Co-op had previously claimed that the cyberattack only had a ‘small impact’ on its operations and insisted there was ‘no evidence that customer data was compromised’.
However, yesterday a Co-op spokesman said the hackers ‘accessed data relating to a significant number of our current and past members’.
In extortion messages sent to the head of Co-op’s head of cybersecurity on April 25, seen by the BBC, the group said: ‘Hello, we exfiltrated the data from your company,’ the chat said. ‘We have customer database, and Co-op member card data.’
The hackers were able to access customer and employee usernames, passwords, membership card numbers, names, home addresses, emails and phone numbers, in databases shared to the BBC.
The Co-op has now disclosed the full extent of the breach to its staff and the stock market.
A spokesman said: ‘This data includes Co-op Group members’ personal data, such as names and contact details, and did not include members’ passwords, bank or credit card details, transactions or information relating to any members’ or customers’ products or services with the Co-op Group.’
It comes as the group said it and its affiliates, which may include the Scattered Spider crew of teenage hackers, are responsible for attacks on Marks & Spencer, the Co-op and Harrods.
M&S were left reeling following the devastating hack two weeks ago which forced it to halt online sales for five days – with its share prices plummeting by more than £500m.
Following the alleged attack, some M&S stores have been left with empty shelves as the beleaguered retailer continues to battle with fallout of a crippling hack.
Shoppers were been left furious after some outlets were left ‘completely empty’, with items including bananas, fruit and vegetables, fish and Colin the Caterpillar cakes out of stock.
When asked, staff reportedly claimed the supply woes were linked to the suspected cyber attack, which has already forced M&S to cancel online orders.
M&S was forced to cancel wedding cake orders amid ongoing cyberattacks that have crippled its online operations.
The retailer was forced to shut down some of its systems after hackers launched a major ransomware attack almost two weeks ago.
M&S is still not taking online orders and has urged customers to shop in person at its stores this bank holiday weekend while it works “day and night” to restore services.
An M&S spokeswoman told MailOnline: ‘As part of our proactive management of the incident, we took a decision to take some of our systems temporarily offline.
‘As a result, we currently have pockets of limited availability in some stores. We are working hard to get availability back to normal across the estate.
But FragonForce have warned this is ‘just the start’ after admitting to be behind the attacks wreaking havoc on Britain’s high streets.
The hackers claimed to have stolen millions of customers’ data and said they are trying to force their victims to pay a ransom.
Retailers are on red alert for similar attacks, as DragonForce said it was poised to launch more. In an interview with Bloomberg, its anonymous creators threatened to release data if it does not receive payment from the retailers, saying it typically expects millions of pounds for ransom payments.
The group operates similarly to a criminal cartel and sells its software to other hackers, such as the Scattered Spider gang.
‘Our job is not to destroy, we just take some money and walk away,’ it said, also warning that the recent attacks were ‘just a start’. DragonForce hackers claimed more than 90 victims last year and targeted companies across various industries.
The Information Commissioner’s Office (ICO) urged M&S and Co-op customers to use strong passwords and different ones across multiple platforms.
