UK retail giant Co-op confirms data breach as DragonForce ransomware claims attack, exposing millions of customer records.

Continue reading
UK retail giant Co-op has confirmed a large-scale data breach after affiliates of the DragonForce ransomware gang claimed responsibility for a cyberattack that compromised sensitive information of millions of current and former customers. Initially downplayed by the company, the breach highlights escalating threats from financially motivated hackers leveraging social engineering tactics.
On April 22, threat actors linked to the Scattered Spider/Octo Tempest collective breached Co-op’s systems using a social engineering attack. Posing as legitimate personnel, hackers reset an employee’s password to infiltrate the network. Once inside, they extracted the Windows NTDS.dit file—a critical Active Directory database containing password hashes for user accounts. This allowed attackers to potentially move laterally across Co-op’s infrastructure.
While Co-op initially stated the breach caused minimal damage, forensic investigations revealed hackers stole personal data, including names and contact details, of a “significant number” of loyalty program members. DragonForce affiliates later boasted to the BBC that they had access to records for 20 million people, though Co-op had not verified this figure.
DragonForce operatives contacted Co-op’s cybersecurity executives via Microsoft Teams, sharing screenshots of stolen corporate and customer data as proof. Internal emails seen by the BBC warned employees to avoid sharing sensitive information on Teams, signaling lingering concerns about ongoing access.
Co-op has since partnered with Microsoft’s Detection and Response Team (DART) and KPMG to rebuild Windows domain controllers, harden Entra ID (formerly Azure AD), and secure AWS environments. The company emphasized that passwords, bank details, and transaction histories remained untouched.
DragonForce, a ransomware-as-a-service (RaaS) operation, demands ransoms in exchange for decryptors and promises to delete stolen data. Affiliates keep 70-80% of payouts, incentivizing aggressive extortion. The group has also claimed responsibility for recent attacks on Marks & Spencer and an attempted breach of luxury retailer Harrods.
The attack mirrors tactics attributed to Scattered Spider—a decentralized collective of hackers specializing in social engineering, SIM swapping, and MFA fatigue attacks. While some members were arrested in 2023 following high-profile breaches at MGM Resorts and Reddit, new actors have adopted their playbook, complicating law enforcement efforts.
Cybersecurity researcher Will Thomas urges organizations to adopt multi-layered defenses against social engineering, including:
_“These attackers prey on human vulnerabilities,”_ Thomas said. _“Training employees to recognize phishing attempts and enforcing zero-trust policies are critical.”_
Affected members are advised to monitor for phishing emails or calls exploiting stolen contact details. Co-op has not disclosed whether ransomware was deployed or if a ransom demand was made. The Information Commissioner’s Office (ICO) is investigating the breach, which could result in fines under GDPR if security failures are proven.
The Co-op breach underscores the vulnerability of legacy systems like Active Directory and the growing boldness of ransomware gangs. With DragonForce emerging as a major player, businesses worldwide face pressure to fortify defenses against an evolving threat landscape.
Co-op stated, _“We continue to investigate this incident and apologize for the concern this may cause.”_ The company has yet to confirm if data will be published on DragonForce’s dark web leak site.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation