All 6.5 million members of the Co-op had their data stolen in a cyber-attack in April, the company’s chief executive Shirine Khoury-Haq has said.

Khoury-Haq told the BBC Breakfast show in her first public interview since the breach that the incident was “personal” to her because of seeing the impact it had on IT staff and other colleagues.

Following the attack on 30 April, the Co-op initially said the hack would only have a “small impact” on its call centre and back office.

Data breach

After the alleged hackers contacted news media, reports said that customer and employee data had been accessed.

The Co-op then admitted that data relating to a “significant number of our current and past members” had been stolen.

The data included names, addresses and contact information, but no financial or transaction data, Khoury-Haq said.

The company is still restoring its back-end systems.

Khoury-Haq told the BBC she was “incredibly sorry” about the attack and related how she met IT staff while they were carrying out remediation efforts.

“I will never forget the looks on their faces, trying to fight off these criminals,” she said.

She said the Co-op had been able to monitor “every mouse click” of what the attackers had done on their systems, and reported the information to authorities.

Arrests

The Co-op reportedly disconnected its systems from the internet just in time to avoid ransomware being deployed on its network, but even so the disruption lasted for weeks and led to empty shelves in some stores.

Four people were arrested this month in connection with the attacks on the Co-op and other UK retailers.

They have all been released on bail, according to authorities.

Marks & Spencer and Harrods were also affected by attacks earlier this year, with M&S continuing to restore its systems.

Researchers have linked the attacks to the Scattered Spider group that disrupted Las Vegas casinos in 2023.