Threats, Incidents and Claims
Co-op Data Breach Compensation: What Customers Need to Know
If you are a Co-op member wondering about Co-op data breach compensation, start with the facts rather than the adverts, because the two paint very different pictures. In April 2025 the retailer was hit by a cyber attack that its chief executive later confirmed had compromised the personal data of all 6.5 million members. Since then, a stream of claims firms has appeared promising payouts. This page sets out what was actually taken, whether a claim is realistic, and how UK data protection law treats compensation, so you can decide with a clear head.
What happened in the Co-op breach
The attack began in late April 2025 and forced parts of Co-op’s IT systems offline. Shelves emptied in some stores and hundreds of funeral branches temporarily reverted to paper. The criminals behind it have been linked to the Scattered Spider group using DragonForce ransomware tooling, the same wave of attacks that also hit Marks and Spencer and Harrods around the same time.
Co-op initially played down the scope, but chief executive Shirine Khoury-Haq later said she was “incredibly sorry” and confirmed that data belonging to all 6.5 million members had been accessed. The company has reported tens of millions of pounds in losses from the disruption.
What data was stolen (and what was not)
According to Co-op, the stolen membership data included:
- Names
- Dates of birth
- Email addresses
- Phone numbers
- Home addresses
Co-op has said that no financial information was taken. Card numbers, bank details and transaction histories were not part of the exposed data, and no member passwords were reported stolen. That distinction matters for any claim, because the type of data lost shapes both the real-world risk and the level of any award.
The practical risk from this kind of data is targeted phishing and impersonation. A criminal who knows your name, address, date of birth and the fact you shop with Co-op can craft a convincing scam message. For a wider look at how incidents like this play out, see our GDPR breach examples.
Can you claim compensation for the Co-op data breach?
You may be able to, but the honest answer is more measured than the claims adverts suggest.
Under UK GDPR and the Data Protection Act 2018, you can seek compensation if a breach of your personal data caused you damage. That damage can be material (an actual financial loss, such as money taken by a fraudster who used the leaked data) or non-material (distress and anxiety caused by the loss of control over your information). You do not have to prove financial loss to claim for distress, but you do have to show a real, non-trivial impact rather than mere annoyance.
Two things are worth being clear about:
- The ICO does not pay compensation. The Information Commissioner’s Office regulates and can fine organisations, but it does not award money to individuals. Compensation comes through the courts or a negotiated settlement, which is why law firms and claims managers run group actions.
- Awards for a breach like this tend to be modest. Where no money was actually stolen and the loss is distress alone, UK court awards have historically been at the lower end, often a few hundred pounds rather than the large sums some adverts imply.
How to check if you are affected and what to do
- Look for direct contact from Co-op. A genuinely affected member should be notified. Co-op posts updates through its own newsroom and member channels.
- Do not act on unsolicited breach messages. Scammers exploit breaches by sending fake “you are owed compensation” texts and emails. Never click a link or hand over bank details in response to one.
- Tighten your own security. Be extra sceptical of calls, texts and emails referencing Co-op, change any password you reused elsewhere, and consider registering with a credit reference agency’s alerts if you are worried about identity misuse.
- You can complain to the ICO for free. If you believe Co-op mishandled your data, you can raise it with the ICO’s personal data breach guidance, at no cost, separately from any compensation claim.
Watch out for claims farms
After every large breach, “no win, no fee” claims firms swarm. Some are reputable solicitors running legitimate group litigation; others are marketing operations that harvest your data and take a large cut of any award. Before signing anything:
- Check the firm is a solicitor regulated by the Solicitors Regulation Authority, or a claims manager authorised by the Financial Conduct Authority.
- Read the success fee. A deduction of a third or more of your award is common, so a “£1,000 claim” can leave you with far less.
- Never pay an upfront fee for a data breach claim, and never share bank details to “receive” compensation.
The lesson for businesses
The Co-op breach is a textbook case of why cyber security is now a board-level issue for every organisation, not just retailers. The initial entry point in this wave of attacks was social engineering of IT help desks, not some exotic zero-day. That is exactly the kind of loss a well-scoped cyber policy is meant to help with, from incident response to third-party liability. If you run a business that holds customer data, read our complete guide to cyber insurance for UK small businesses and our plain answer to whether you actually need cyber insurance.
Frequently asked questions
How much compensation can I get for the Co-op data breach? There is no fixed figure. Because no financial data was stolen, most realistic claims are for distress rather than actual losses, and UK court awards for distress alone have tended to be modest, often in the low hundreds of pounds. Anyone promising a guaranteed large payout is overstating what the law typically delivers.
Is the Co-op data breach compensation claim genuine? Some group claims are run by regulated solicitors and are legitimate, but many adverts come from claims farms that take a large cut. Always check the firm is SRA-regulated or FCA-authorised, read the success fee, and never pay upfront or hand over bank details.
What data did the Co-op breach expose? Names, dates of birth, email addresses, phone numbers and home addresses of all 6.5 million members. Co-op has said no financial information, card details or passwords were taken.
Do I have to use a claims company to make a claim? No. You can complain to the ICO for free, and you can pursue a court claim yourself, though breach litigation is complex. Claims firms exist to handle that complexity, but you pay for it through their success fee.
What should I do now if I am a Co-op member? Watch for genuine notification from Co-op, ignore and report any unsolicited “compensation” messages, change any reused passwords, and stay alert to phishing that references your Co-op membership. Taking those steps protects you regardless of whether you pursue a claim.