Cyber correspondent, BBC World Service
Getty Images
Cybercriminals have informed BBC News that their hack on Co-op is significantly more severe than the company has acknowledged.
The hackers have reached out to the BBC, providing evidence of their infiltration into IT networks and the theft of massive amounts of customer and employee data.
Following an inquiry on Friday, a Co-op representative confirmed that hackers had “accessed data pertaining to a large number of our current and former members”.
Previously, Co-op claimed it had implemented “proactive measures” to defend against hackers, stating that the incident had only a “minor impact” on its operations.
They also reassured the public that there was “no indication that customer data was compromised”.
The hackers allege to possess the private details of 20 million individuals who enrolled in Co-op’s membership program, although the firm has not confirmed this figure.
Identifying themselves as DragonForce, the cybercriminals claim responsibility for the ongoing assault on M&S and an attempted breach of Harrods.
These assaults prompted government minister Pat McFadden to advise companies to prioritize “cyber security as an imperative”.
The anonymous hackers shared with the BBC screenshots of their initial extortion message sent to Co-op’s head of cyber security via an internal Microsoft Teams chat on April 25.
“Hello, we have exfiltrated the data from your company,” the message states.
“We possess customer database and Co-op member card data.”
Screenshots of a call with the head of security that occurred around a week ago were also presented by the hackers.
They claim to have messaged other executive committee members as part of their extortion scheme.
Co-op operates over 2,500 supermarkets, along with 800 funeral homes and an insurance business.
Employing approximately 70,000 staff nationwide, the company announced the cyber attack on Wednesday.
The following day, it was disclosed that Co-op staff had been instructed to keep cameras on during Teams meetings, refrain from recording or transcribing calls, and confirm that all participants were legitimate Co-op employees.
These security measures appear to stem directly from the hackers’ access to internal Teams chats and calls.
DragonForce also provided the BBC with databases that contained usernames and passwords of all employees.
Additionally, they sent a sample of 10,000 customers’ data, which included Co-op membership card numbers, names, home addresses, emails, and phone numbers.
The BBC has disposed of the data received and will not be publishing or sharing these documents.
DragonForce claims
The Co-op membership database is believed to hold significant value for the company.
Since the BBC approached Co-op regarding the hackers’ claims, the company has disclosed the full extent of the breach to its employees and the stock market.
“This data encompasses personal information of Co-op Group members, such as names and contact details, and does not include members’ passwords, bank or credit card information, transactions, or details related to any products or services associated with the Co-op Group,” a spokesperson indicated.
DragonForce is seeking the BBC to report on the hack while attempting to extort money from the company.
However, the criminals did not disclose their intentions regarding the data if they do not receive payment.
They declined to comment on M&S or Harrods and evaded questions about the distress and damage inflicted on businesses and customers.
DragonForce is a ransomware group recognized for scrambling victims’ data and demanding a ransom for the decryption key. They are also known for stealing data as part of their extortion methods.
DragonForce operates an affiliate cybercrime service, allowing anyone to utilize their malicious software and website for attacks and extortion.
It remains unclear who is ultimately employing the DragonForce service to target the retailers, though some security analysts suggest the tactics resemble those of a loosely associated group of hackers known as Scattered Spider or Octo Tempest.
This gang communicates on Telegram and Discord channels and is primarily composed of English-speaking youth, some of whom are teens.
The conversations with the Co-op hackers were text-based, but it was evident that the hacker, presenting as a spokesperson, spoke fluent English.
They identified two hackers who prefer the monikers “Raymond Reddington” and “Dembe Zuma,” inspired by characters from the U.S. crime thriller Blacklist, where a wanted criminal aids law enforcement in apprehending others on a ‘blacklist’.
The hackers stated, “we’re putting UK retailers on the Blacklist”.
Co-op has announced its collaboration with the NCSC and the NCA, expressing regret over the situation in a public statement.
‘Wake-up call’
UK government officials have convened in response to the cyber attacks, with national security personnel and the CEO of the National Cyber Security Centre discussing potential support for retailers.
In a keynote speech next week regarding government action, minister Pat McFadden, responsible for cyber security, will emphasize that these attacks should serve as a “wake-up call” for every UK business.
“In a world where cybercriminals relentlessly pursue profit—attempts being made every hour of the day—companies must prioritize cyber security as an absolute necessity.
“We have witnessed in real-time the disruption these attacks have caused, affecting working families in their daily routines.
“This serves as a significant reminder that, just as one would never leave their car or home unlocked on the way to work, we must treat our digital storefronts the same way.”
