DragonForce hackers leak data to BBC, forcing the Co-op to admit breach of member and staff information

Hackers have claimed responsibility for a major cyber attack against the Co-op Group, alleging they have stolen sensitive data on millions of customers and employees. The admission comes after the cyber criminals contacted the BBC directly, revealing proof of the breach and demanding a ransom.

The group, calling itself DragonForce, says it infiltrated the Co-op’s internal networks, exfiltrating usernames, passwords, and the personal information of as many as 20 million people. After initially downplaying the incident, Co-op confirmed late Friday that a “significant number” of past and present members had been affected.

“This data includes Co-op Group members’ personal data such as names and contact details,” a spokesperson acknowledged, adding that no bank, card or transaction details were stolen. However, the admission marks a stark reversal from the company’s earlier claim that there was “no evidence customer data was compromised.”

The revelation followed direct messages from the hackers to the BBC, including screenshots of internal Microsoft Teams chats with Co-op’s head of cyber security. One message sent on 25 April simply stated: “Hello, we exfiltrated the data from your company. We have a customer database and Co-op member card data.”

DragonForce also showed transcripts of video calls and messages sent to other executives, all part of an escalating campaign of intimidation and extortion.

The BBC was shown what appeared to be authentic samples of employee login credentials and a trove of 10,000 customer records, containing names, home addresses, email addresses, phone numbers, and membership card data. The broadcaster has confirmed it destroyed the data after viewing it.

While Co-op had described the cyber attack earlier in the week as having only a “small impact” on operations, internal security protocols were quietly tightened. Staff were instructed to keep their cameras on during meetings, verify participants’ identities, and avoid recording or transcribing calls—measures that now appear to have been directly prompted by fears of surveillance from within compromised systems.

The attack is believed to be part of a wider campaign. DragonForce also claimed responsibility for targeting M&S and attempting to breach Harrods. Government minister Pat McFadden, responsible for cybersecurity, has warned that these events should serve as a “wake-up call” for businesses across the UK.

“In a world where cyber criminals are relentless in their pursuit of profit, companies must treat cybersecurity as an absolute priority,” McFadden said, citing the “real-time disruption” caused by these incidents.

DragonForce is a ransomware group known for offering its malicious tools to affiliates in return for a cut of the profits. The group is believed to share links with so-called “Scattered Spider” or “Octo Tempest”—a loosely affiliated gang of English-speaking, often teenage hackers who coordinate attacks via Telegram and Discord.

Conversations with the Co-op hackers were conducted in text format, with the perpetrators using aliases inspired by US crime drama The Blacklist. “We’re putting UK retailers on the Blacklist,” they declared.

Co-op, which employs around 70,000 staff across its supermarkets, funeral homes, and insurance operations, has since disclosed the breach to both its staff and the London Stock Exchange. The company says it is cooperating fully with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA).

As investigations continue, government officials are reportedly meeting to assess support for affected retailers and draft stronger policy protections. Co-op has issued a public apology: “We are very sorry this situation has arisen and are working hard to support affected individuals.”

The scale and boldness of the attack suggest a new level of sophistication in cyber extortion—and a troubling vulnerability in major British institutions.