UK Retail Chains Targeted by Ransomware Attackers Claiming Data Theft

Major ransomware campaign targeting UK retailers has escalated as hackers provided BBC News with evidence of extensive network infiltration and data theft from Co-op, contradicting the company’s initial statements that downplayed the incident.

The cyber criminals, operating under the name DragonForce, claim to possess personal information of approximately 20 million Co-op loyalty scheme members and assert responsibility for similar attacks against other major UK retailers including M&S and Harrods.

The threat actors demonstrated their network access by sharing screenshots of extortion messages delivered directly through Co-op’s internal Microsoft Teams platform on April 25.

In these communications, addressed to the company’s head of cybersecurity, the attackers explicitly stated they had “exfiltrated the data from your company” including “customer database, and Co-op member card data.

‘The hackers’ ability to access internal Teams chats explains Co-op’s subsequent security measures requiring staff to keep cameras on during virtual meetings and verify all participants’ identities.

Technical evidence provided to the BBC included employee credential databases containing usernames and passwords for Co-op staff, alongside a sample dataset of 10,000 customer records containing membership numbers, personal identifiers, home addresses, email addresses, and phone numbers.

The organization initially claimed there was “no evidence that customer data was compromised” but has since acknowledged to the stock market that member personal data was accessed, though they maintain no passwords, financial information, or transaction histories were exposed.

Co-op employs approximately 70,000 staff across 2,500 supermarkets, 800 funeral homes, and its insurance business.

Attribution and Operational Methods of DragonForce

DragonForce operates as a ransomware-as-a-service (RaaS) platform, allowing affiliates to utilize their malicious infrastructure for attacks and extortion campaigns.

Security analysts note the tactics in these retail breaches align with those employed by a loosely organized hacking collective previously identified as Scattered Spider or Octo Tempest.

This English-speaking group, reportedly including teenage members, coordinates activities through Telegram and Discord channels.

The ransomware operators’ representatives communicated with journalists using text-based methods, displaying fluent English skills.

They referenced characters from the US crime series “Blacklist,” stating two hackers wished to be known as “Raymond Reddington” and “Dembe Zuma,” while declaring they were “putting UK retailers on the Blacklist.

” DragonForce’s typical methodology involves both data encryption and exfiltration, creating dual extortion leverage against victims.

Government Response and Industry-Wide Security Implications

The escalating retail sector attacks have prompted high-level government response, with national security officials and the National Cyber Security Centre leadership convening to discuss support measures.

Minister Pat McFadden, who oversees cybersecurity matters, characterized the incidents as a “wake-up call” for UK businesses.

“In a world where cybercriminals targeting us are relentless in their pursuit of profit-with attempts being made every hour of every day-companies must treat cybersecurity as an absolute priority,” McFadden stated.

He emphasized the real-time disruption these attacks have caused to everyday consumers and businesses, adding that digital infrastructure requires the same protection mentality as physical assets:

“Just as you would never leave your car or your house unlocked on your way to work, we have to treat our digital shop fronts the same way.”

Co-op has confirmed it is working with the National Cyber Security Centre and National Crime Agency while expressing regret for the situation.