Co-op ‘could face compensation claims’ after hackers stole member data, lawyer warns

Co-op could face compensation claims and further regulatory scrutiny after admitting hackers stole member data, a lawyer has warned.

The convenience retailer revealed on 2 May that hackers had accessed personal data relating to a “significant number” of Co-op members.

Hackers were able to access Co-op members’ personal data such as names and contact details, but not passwords, bank or credit card details, or transactions data.

“The accessed data included information relating to a significant number of our current and past members,” a Co-op spokesperson said.

Senior data protection and privacy solicitor Becky White at law firm Harper James said: “The incident could lead to complaints and claims, damage reputation, and attract regulatory scrutiny.”

White said it exposed members to increased “danger of scams, identity theft and other fraud”. 

“These risks are not necessarily limited to just the short term either – affected individuals may experience negative consequences long after the incident itself.

“For Co-op, the impact of this attack could extend far beyond immediate interruption,” White added. “Incidents of this scale can cause major disruption to business operations, affect customer trust, expose individuals to future misuse of personal data, and result in financial losses.”

The Information Commissioner’s Office said on Friday it was making enquiries with Co-op about the cyberattack, while working closely with the National Cyber Security Centre. The ICO has also been in contact with M&S, which has been battling a cyberattack since 22 April.

White said that if regulatory investigations “flagged gaps” in the Co-op’s data protection and security compliance measures, then penalties could follow.

The Co-op has been diverting food and drink supplies to stores in remote locations to avoid shortages on shelves following the cyberattack on 30 April, according to The Telegraph.  The retailer is said to be prioritising the supply of essential items to shops on islands and in isolated towns.

It also paused contactless payments in about 200 of its 2,300 stores yesterday, before reinstating them later in the day.

Apologising on LinkedIn on Monday, Co-op CEO Shirine Khoury-Haq said: “The criminals that are perpetrating these attacks are highly sophisticated and our colleagues are working tirelessly to do three things: protect and defend our Co-op, fully understand the extend of the impact caused by the attack, and provide much-needed information to the authorities that may help them with their investigations.

“We have established that the cyber criminals were able to access a limited amount of member data. This is obviously extremely distressing for our colleagues and members, and I am very sorry this happened. We recognise the importance of data protection and take our obligations to you and our regulators seriously, particularly as a member-owned organisation.

“I appreciate you will want to know more, and I hope you will understand that in order to protect our Co-op, we are limited as to the detail we can communicate at this time. I thank you for your patience and I will be in touch as soon as possible. Thank you for your continued support.”