Co-op – Data Leak | Smart Thinking Solutions

I do not often post on Saturdays but this could not wait until after the Bank Holiday.

All last week my articles were about the cyber attacks impacting UK retail stores. It started with M&S, then the Co-op and finished with Harrods. You can read those articles below.

I was going to write about a WooCommerce attack…

More M&S

More on the M&S cyber attack

Marks and Spencer Cyber Attack

Early in the incidents, all three organisations told customers not to worry and that they did not have to do anything. I always coach clients that incident communications are key and do not overreach what you really know.

The BBC is now reporting that they have seen evidence that the Co-op has had a significant quantity of data stolen:

Co-op cyber attack affects customer data, firm admits, after hackers contact BBC – BBC News

It appears from the evidence presented to the BBC, by the ransomware gang, calling themselves DragonForce, that the Co-op’s head of cyber security was first contacted on April 25 and shown that data had been stolen.

After being approached by the BBC, the Co-op said this:

“It [The Co-op] also assured the public that there was “no evidence that customer data was compromised” (BBC News)

The Co-op has now reported fully what data it can confirm has been stolen to staff and the stockmarket – he

“This data includes Co-op Group members’ personal data such as names and contact details, and did not include members’ passwords, bank or credit card details, transactions or information relating to any members’ or customers’ products or services with the Co-op Group,” a spokesperson said. (BBC News)

Let’s hope that once the investigation is complete that this statement is still correct.

Your Takeaway

During an incident, organisations may be rightly advised by their cyber security professionals to delay making detailed statements as it may compromise the investigations and responses. If that is the case then tell people that as the incident is announced. But resticting or over-reaching the information you release to people, who may be impacted by your cyber incident, because of your financial considerations, then you may have a reputational issue to deal with later.

Clive Catton MSc (Cyber Security) – by-line and other articles

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Your Takeaway

Further Reading