Four Arrested in Connection with Devastating Cyber-Attacks on M&S, Co-op

In a significant breakthrough in the ongoing investigation into the crippling cyber-attacks that plagued major UK retailers Marks & Spencer, Co-op, and Harrods earlier this year, four individuals have been apprehended by the National Crime Agency (NCA). These arrests, made in the early hours of Thursday morning, July 10, 2025, signal a crucial step forward in unraveling the complex web behind the digital incursions that caused widespread disruption, financial losses, and significant concern over customer data security. While the full extent of their involvement and the precise nature of the charges are still unfolding, this development offers a glimmer of hope to the affected companies and the public that those responsible for these sophisticated acts of cybercrime will be brought to justice.
The arrests were carried out at residential addresses across the UK, spanning London, Staffordshire, and the West Midlands, with collaborative support from regional organised crime units. The four individuals taken into custody include a 17-year-old British male from the West Midlands, a 19-year-old Latvian male also from the West Midlands, a 19-year-old British male from London, and a 20-year-old British woman from Staffordshire. All four are being held on suspicion of a range of serious offences, including blackmail, money laundering, breaches of the Computer Misuse Act, and participation in the activities of an organised crime group. Electronic devices were seized from their properties for forensic analysis, which is expected to provide further crucial evidence for the ongoing investigation.
These arrests stem from a painstaking and intensive investigation by the NCA's specialist cybercrime unit, which has been working at pace since the attacks first surfaced in April and May of 2025. The cyber-attacks on M&S, Co-op, and Harrods were not isolated incidents but formed part of a coordinated series of breaches that are believed to have targeted the retailers for ransom payments after gaining unauthorised access to their IT systems. The modus operandi of the attackers, widely attributed to the notorious cybercrime group known as Scattered Spider (also identified as Octo Tempest or UNC3944), involved sophisticated social engineering tactics, particularly targeting IT help desks. This method, which often involves impersonating legitimate company personnel, allowed the perpetrators to bypass security protocols and infiltrate sensitive networks.
Marks & Spencer was among the first and most significantly impacted, forced to suspend online operations in April. The attack initially disrupted contactless payments and click-and-collect orders, subsequently impacting stock availability in stores. The financial ramifications for M&S have been considerable, with estimates suggesting the cyber-attack could cost the retailer around £300 million due to the six-week shutdown of its website and ongoing recovery efforts. Beyond the operational and financial setbacks, the incident also led to the potential theft of personal customer data, including names, email addresses, postal addresses, and dates of birth, raising serious privacy concerns for millions of consumers.
The Co-op Group also suffered a significant cyber-attack in May, which severely impacted its stock availability, leading to days of empty shelves in many of its food stores. Similar to M&S, this breach resulted in the theft of personal data belonging to a "significant number" of current and past members, including names and contact information. While the Co-op's stores remained open, the disruption to back-office functions and call centers highlighted the pervasive nature of the attack and its wide-ranging consequences. Harrods, the iconic luxury department store, also confirmed it had been affected by an attempted hack, leading it to temporarily restrict internet access across its websites as a precautionary measure to safeguard its systems.
The attribution of these attacks to a specific cybercrime collective, particularly Scattered Spider, has been a key focus for cybersecurity experts and law enforcement. This group is known for leveraging its English-speaking members to execute advanced social engineering attacks. While a firm attribution to this collective cannot be definitively made at this early stage of the arrests, and the investigation remains ongoing, the similarities in tactics, techniques, and procedures across the three distinct attacks suggest a common threat actor. Industry analysts had categorized the disruptions to M&S and Co-op as a "Category 2 systemic event," indicating a severe and widespread impact on critical infrastructure.
Paul Foster, head of the NCA's National Cyber Crime Unit, emphasized the agency's commitment to the investigation, stating, "Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the agency's highest priorities. Today's arrests are a significant step in that investigation but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice." This statement underscores the complexity and international nature of cybercrime investigations, often requiring collaboration across borders.
The arrests, while a welcome development, mark an early stage in a potentially lengthy legal process. The individuals have not yet been charged or convicted of any offences, and their right to a fair trial is paramount. Furthermore, the NCA has indicated that there are significant safeguarding concerns related to those arrested, which the agency and its partners are actively managing. This suggests that the individuals may be vulnerable, adding another layer of complexity to the case.
The cyber-attacks on these prominent retailers served as a stark reminder of the escalating threat landscape in the digital age. They highlighted the critical importance of robust cybersecurity measures, vigilant employee training against social engineering tactics, and rapid response capabilities for businesses of all sizes. The financial and reputational damage incurred by M&S, Co-op, and Harrods underscores the devastating impact of successful cyber intrusions. While the journey to full recovery and enhanced security continues for the affected companies, these recent arrests offer a tangible sign that law enforcement agencies are making significant strides in combating sophisticated cybercrime and holding perpetrators accountable for their actions. The investigation continues, and the public will undoubtedly be watching closely for further developments in this high-profile case.
Source@BBC