Cyber correspondent, BBC World Service
Getty ImagesCyber criminals have told BBC News their hack against Co-op is far more serious than the company previously admitted.
Hackers contacted the BBC with proof they had infiltrated IT networks and stolen huge amounts of customer and employee data.
After being approached on Friday, a Co-op spokesperson said the hackers “accessed data relating to a significant number of our current and past members”.
Co-op had previously said that it had taken “proactive measures” to fend off hackers and that it was only having a “small impact” on its operations.
It also assured the public that there was “no evidence that customer data was compromised”.
The cyber criminals claim to have the private information of 20 million people who signed up to Co-op’s membership scheme, but the firm would not confirm that number.
The criminals, who are using the name DragonForce, say they are also responsible for the ongoing attack on M&S and an attempted hack of Harrods.
The attacks have led government minister Pat McFadden to warn companies to “treat cyber security as an absolute priority”.
The anonymous hackers showed the BBC screenshots of the first extortion message they sent to Co-op’s head of cyber security in an internal Microsoft Teams chat on 25 April.
“Hello, we exfiltrated the data from your company,” the chat says.
“We have customer database, and Co-op member card data.”
They also showed screenshots of a call with the head of security which took place around a week ago.
The hackers say they messaged other members of the executive committee too as part of their scheme to blackmail the firm.
Co-op has more than 2,500 supermarkets as well as 800 funeral homes and an insurance business.
It employs around 70,000 staff nationwide.
The cyber attack was announced by the company on Wednesday.
On Thursday, it was revealed Co-op staff were being urged to keep their cameras on during Teams meetings, ordered not to record or transcribe calls, and to verify that all participants were genuine Co-op staff.
The security measure now appears to be a direct result of the hackers having access to internal Teams chats and calls.
DragonForce shared databases with the BBC that includes usernames and passwords of all employees.
They also sent a sample of 10,000 customers data including Co-op membership card numbers, names, home addresses, emails and phone numbers.
The BBC has destroyed the data it received, and is not publishing or sharing these documents.
DragonForce claims
The Co-op membership database is thought to be highly valuable to the company.
Since the BBC contacted Co-op about the hackers’ evidence, the firm has disclosed the full extent of the breach to its staff and the stock market.
“This data includes Co-op Group members’ personal data such as names and contact details, and did not include members’ passwords, bank or credit card details, transactions or information relating to any members’ or customers’ products or services with the Co-op Group,” a spokesperson said.
DragonForce want the BBC to report the hack – they are apparently trying to extort the company for money.
But the criminals wouldn’t say what they plan to do with the data if they don’t get paid.
They refused to talk about M&S or Harrods and when asked about how they feel about causing so much distress and damage to business and customers, they refused to answer.
DragonForce is a ransomware group known for scrambling victims’ data and demanding a ransom is paid to get the key to unscramble it. They are also known to have stolen data as part of their extortion tactics.
DragonForce operates an affiliate cyber crime service so anyone can use their malicious software and website to carry out attacks and extortions.
It’s not known who is ultimately using the DragonForce service to attack the retailers, but some security experts say the tactics seen are similar to that of a loosely coordinated group of hackers who have been called Scattered Spider or Octo Tempest.
The gang operates on Telegram and Discord channels and is English-speaking and young – in some cases only teenagers.
Conversations with the Co-op hackers were carried out in text form – but it is clear the hacker, who called himself a spokesperson, was a fluent English speaker.
They say two of the hackers want to be known as “Raymond Reddington” and “Dembe Zuma” after characters from US crime thriller Blacklist which involves a wanted criminal helping police take down other criminals on a ‘blacklist’.
The hackers say “we’re putting UK retailers on the Blacklist”.
Co-op says it is working with the NCSC and the NCA and said in a statement it is very sorry this situation has arisen.
‘Wake-up call’
UK government officials have met over the cyber attacks, with national security staff and the chief executive of the National Cyber Security Centre discussing support for retailers.
In a keynote speech next week setting out government action, minister Pat McFadden – who has responsibility for cyber security – will say the attacks need to be a “wake-up call” for every UK business.
“In a world where the cybercriminals targeting us are relentless in their pursuit of profit – with attempts being made every hour of every day – companies must treat cyber security as an absolute priority.
“We’ve watched in real-time the disruption these attacks have caused – including to working families going about their everyday lives.
“It serves as a powerful reminder that just as you would never leave your car or your house unlocked on your way to work. We have to treat our digital shop fronts the same way.”
