Co-op Confirms Catastrophic Breach Impacting 6.5 Million Members

UK retail conglomerate Co-operative Group has verified that attackers exfiltrated personal data belonging to all 6.5 million of its members during an April 2025 cyberattack. The intrusion—attributed to the Scattered Spider threat group—utilized DragonForce ransomware and caused significant operational disruptions, including food shortages across Co-op's grocery stores.

CEO Shirine Khoury-Haq stated in a BBC interview:

"Their data was copied, and the criminals did have access to it... That is the awful part of this unfortunately."

While financial data remained secure, stolen contact information creates substantial phishing and identity fraud risks for victims. Khoury-Haq emphasized the human impact, calling the breach "personal" due to its effect on members and employees.

Attack Chain: From Social Engineering to Active Directory Compromise

Technical analysis reveals a meticulously executed attack:

  1. Initial Access: Social engineering enabled password reset compromise of an employee account on April 22, 2025
  2. Lateral Movement: Threat actors escalated privileges across the network
  3. Critical Data Theft: Windows Active Directory's NTDS.dit file was exfiltrated—a database containing cryptographic password hashes for all domain accounts
  4. Ransomware Deployment: DragonForce payload prepared but partially contained by Co-op's system shutdowns

The NTDS.dit exfiltration represents a severe enterprise threat. This file enables offline password cracking via tools like Hashcat, granting attackers persistent access. Microsoft describes NTDS.dit as containing:

- Usernames and unique security identifiers (SIDs)
- Password hashes (NTLM and LM)
- Group membership data
- Password policy configurations

Scattered Spider's Evolving Ransomware Operations

This attack demonstrates Scattered Spider's signature tactics:

  • Social Engineering Specialization: Bypassing technical controls through human manipulation
  • Active Directory Targeting: Consistently pursuing NTDS.dit for domain dominance
  • Ransomware Collaboration: Partnering with groups like DragonForce (previously linked to BlackCat operations)

The group's infrastructure enabled parallel attacks on Marks & Spencer and Harrods, with UK authorities recently arresting four suspects aged 17-20. One individual reportedly participated in Scattered Spider's 2023 MGM Resorts attack that encrypted 100+ ESXi servers.

Defense Implications for Enterprise Security

Key technical takeaways for organizations:

  • Harden Active Directory: Implement Microsoft LAPS for local admin passwords, restrict domain controller access, and enable credential guard
  • Mitigate Pass-the-Hash: Enforce multi-factor authentication (MFA) universally and segment networks
  • Detect NTDS.dit Theft: Monitor for Volume Shadow Copy Service (VSS) administrative tool abuse and unexpected DC traffic
  • Social Engineering Resilience: Conduct continuous phishing simulations and privilege access reviews

This breach underscores how legacy identity systems remain prime targets. As UK law enforcement pursues suspects, enterprises must prioritize securing authentication hierarchies against rapidly evolving adversarial tradecraft.

Source: BleepingComputer