Co-op’s Data Breach: Another Day, Another Cyberattack in UK Retail

Breach Reports
Written By Noel Bradford

Co-op Breached: And So It Begins... Again

Oh look—another week, another British brand accidentally ladling customer data into a cybercriminal’s inbox like it’s a free sample at the deli counter. This time, it’s Co-op. More specifically, Co-op Legal Services and Co-op Funeralcare. Because apparently, even the afterlife can’t escape data loss.

And in case you thought this one might be handled with some urgency—think again. The attackers themselves had to contact the BBC because Co-op didn’t respond quickly enough. Nothing screams “we’ve got this under control” like ghosting a bunch of hackers until they go full whistleblower.

The Attack Timeline: A Masterclass in Shrugging

  • Late March / Early April 2025: Breach happens, supposedly via payroll provider Zellis. You’d think everyone would have patched MOVEit by now, but here we are.

  • Mid-April: Co-op staff are told there’s been an “incident.” Classic move. Vague language? Check. Vague reassurances? Double check. Panic meter: rising.

  • May 1st: Hackers go public. They contact the BBC and hand over proof that customer data is involved—because apparently that’s the only way to get attention these days.

  • May 2nd: Co-op finally confirms the obvious: customer information was, in fact, breached. Somewhere, a press officer wipes sweat off their brow and hits “send” on a very carefully worded statement.

What Was Stolen? That’s Still Fuzzy

Co-op’s PR machine hasn’t offered much in the way of detail—just the usual foghorn of “ongoing investigation” and “out of an abundance of caution” statements that mean absolutely nothing. But based on previous Zellis-adjacent breaches, we can take an educated guess:

  • Names, addresses, phone numbers? Let’s not kid ourselves—definitely.

  • Sensitive case data? Possibly, and that’s where things start to feel less like a spreadsheet leak and more like a lawsuit waiting to happen.

Here’s the kicker: this isn’t your average marketing database. This is funeral arrangements, legal proceedings, possibly next of kin info—the kind of data you don’t want surfacing in a pastebin next to a cartoon skull and a countdown timer.

It’s one thing to have your gym app leaked. It’s another to have details about your will or a deceased relative’s estate out there. We’re not talking about compromised loyalty points here—we’re talking about the most private moments of people’s lives.

And Co-op? They’re still “monitoring the situation.” Hopefully with more urgency than they monitored their suppliers.

Zellis: The Name Behind the Curtain

Let’s talk about Zellis—the payroll and HR outsourcing firm at the heart of several breaches over the past two years. Zellis is the kind of company no one outside the boardroom has heard of until suddenly they’re being named in the same breath as British Airways, the BBC, and now Co-op.

This is the same Zellis whose systems got clipped via the MOVEit Transfer zero-day in 2023. That little mess splashed half the FTSE 100 with data leaks. Since then, it’s been suspiciously quiet—until now.

Their client list includes the likes of Harrods, Jaguar Land Rover, and a long tail of other big-name brands. M&S hasn’t confirmed anything, but let’s be honest: the way things are going, you wouldn’t bet against it.

The uncomfortable truth? This might not even be a new breach. This could just be more fallout from the same festering security wound that no one properly cleaned up in the first place.

Silence Isn’t a Strategy. It’s a Liability.

If your crisis comms plan involves ignoring cybercriminals until they email the press—you’ve already failed.

Co-op could’ve owned the narrative. They could’ve reassured customers early, taken decisive action, been transparent. Instead, they sat on their hands while ransomware gangs started doing PR. If that’s not a low point for corporate risk management, it’s damn close.

There are a few universal truths in cybersecurity, and one of them is this: your silence will be filled by someone else’s story—usually the attackers’.

This Isn’t Just a Co-op Problem. It’s a Retail Epidemic.

Co-op is merely the latest example of a UK retail sector that keeps leaving the barn door open while asking, “what’s that clattering sound?”

Let’s review the roster:

  • Harrods: Breached.

  • M&S: Breached.

  • Carpetright: Breached... and bankrupt.

  • Boots: Breached.

  • And now, Co-op: Breached and media-shamed.

It’s almost as if there’s a pattern.

And lurking in the background of it all? Zellis. Quietly doing payrolls. Holding data for millions. And either being targeted repeatedly or failing to lock the door properly. Or both.

Which leaves us staring down the obvious:

The Question Everyone’s Avoiding

How many more UK retailers are one poorly patched supplier away from starring in their own breach headline?

Because based on the last 24 months?

The answer isn’t “none.”

It’s “who’s next?”

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Previous

Breached (Part 1)
Next

Samsung's Galaxy Wormhole: Yet Another Lesson in 'Trust But Verify'