Co-op boss confirms all 6.5 million members had data stolen in cyber-attack

The chief executive of Co-op has confirmed that all 6.5 million of its members had their data stolen in a cyber-attack on the retailer in April.

"I'm devastated that information was taken. I'm also devastated by the impact that it took on our colleagues as well as they tried to contain all of this," Shirine Khoury-Haq told BBC Breakfast in her first public interview since the hack.

"There was no financial data, no transaction data but it was names and addresses and contact information that was lost," she added.

Ms Khoury-Haq said she would not step down from her role, but was "incredibly sorry" for the attack.

She said the hack was "personal" to her because of the impact it had on her colleagues.

"Early on I met with our IT staff and they were in the midst of it. I will never forget the looks on their faces, trying to fight off these criminals," she said.

Once the hackers had been removed from the systems, "they could not erase what they did so we could monitor every mouse click" and Co-op was able to send that information to authorities.

But she added: "We know a lot of that information is out there anyway, but people will be worried and all members should be concerned."

Co-op runs on a membership scheme, where members are paid a share of the profits of the co-operative.

"It hurt my members, they took their data and it hurt our customers and that I do take personally," Ms Khoury-Haq said.

Co-op was one of three retailers, alongside Marks and Spencer (M&S) and Harrods who were victims of cyber-attacks in spring this year.

Co-op announced on 30 April that it had been hacked, initially saying it would only have a "small impact" on its call centre and back office.

But days later, after being contacted by the alleged hackers, BBC News revealed that customer and employee data had been accessed.

Co-op then admitted the criminals had "accessed data relating to a significant number of our current and past members".

BBC News later discovered from the alleged attackers that the company disconnected the internet from IT networks in the nick of time to stop the hackers from deploying ransomware and so causing even more disruption.

M&S also had customer data stolen, and is still getting its systems back to normal after huge disruption which has cost it millions of pounds.

Last week, the National Crime Agency (NCA) said four people had been arrested in connection with the hacks on Co-op and M&S

These were a 20-year-old woman was arrested in Staffordshire, and three males - aged between 17 and 19 - were detained in London and the West Midlands.

They were apprehended on suspicion of Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group.

Additional reporting by Charlotte Edwards.