Co-op boss confirms all 6.5m members had data stolen

The chief executive of Co-op has confirmed that all 6.5 million of its members had their data stolen in a cyber-attack on the retailer in April.

"I'm devastated that information was taken. I'm also devastated by the impact that it took on our colleagues as well as they tried to contain all of this," Shirine Khoury-Haq told BBC Breakfast in her first public interview since the hack.

"There was no financial data, no transaction data but it was names and addresses and contact information that was lost," she added.

Meanwhile, four people who were arrested a week ago by police investigating the cyber-attacks that caused havoc at M&S and the Co-op have all been bailed.

Ms Khoury-Haq said that she was "incredibly sorry" for the attack and that it was "personal" to her because of the impact that it had on her colleagues.

"Early on I met with our IT staff and they were in the midst of it. I will never forget the looks on their faces, trying to fight off these criminals," she said.

The hackers were removed from the systems but "could not erase what they did so we could monitor every mouse click," and Co-op was able to send that information to authorities.

But she added: "We know a lot of that information is out there anyway, but people will be worried and all members should be concerned."

Co-op runs on a membership scheme, where members are paid a share of the profits of the co-operative.

"It hurt my members, they took their data and it hurt our customers and that I do take personally," Ms Khoury-Haq said.

Following the cyber attacks on the Co-op and M&S, the National Crime Agency (NCA) said on Wednesday that a 17-year-old British man from the West Midlands, a 19-year-old Latvian man from the West Midlands, a 19-year-old British man from London, and a 20-year-old British woman from Staffordshire were all bailed pending further inquiries.

They were all arrested from their home addresses on suspicion of blackmail, money laundering, offences linked to the Computer Misuse Act, and participating in the activities of an organised crime group, according to the NCA.

The police also seized electronic devices from the properties.

Co-op has not put a figure on how much the hack will cost them, but it says it is still working to restore back-end systems.

One of its responses to the hack is to partner with a cyber-security recruitment company.

The Hacking Games identifies young talent to channel their skills into legal careers.

"The research shows that if you offer these kids talent development opportunities and career opportunities, the vast majority of them will take the legitimate pathway," said its chief executive Fergus Hay.

It is planning a pilot programme with Co-op Academies Trust, which runs 38 schools in England.

Co-op was one of three retailers, alongside Marks and Spencer (M&S) and Harrods who were victims of cyber-attacks in spring this year.

Co-op announced on 30 April that it had been hacked, initially saying it would only have a "small impact" on its call centre and back office.

But days later, after being contacted by the alleged hackers, BBC News revealed that customer and employee data had been accessed.

Co-op then admitted the criminals had "accessed data relating to a significant number of our current and past members".

BBC News later discovered from the alleged attackers that the company disconnected the internet from IT networks in the nick of time to stop the hackers from deploying ransomware and so causing even more disruption.

M&S also had customer data stolen, and is still getting its systems back to normal after huge disruption which has cost it millions of pounds.

Additional reporting by Charlotte Edwards.

Sign up for our Tech Decoded newsletter to follow the world's top tech stories and trends. Outside the UK? Sign up here.