stickerside - stock.adobe.com

Four arrested in M&S cyber attack investigation

Police have made four arrests in connection with a trio of cyber attacks on UK retailers Marks & Spencer, Co-op and Harrods

Four people have been arrested and taken into custody across the UK in a National Crime Agency investigation into the April and May 2025 cyber attacks on Marks & Spencer (M&S), Co-op Group and Harrods.

The arrests of two men aged 19, a third aged 17 and a 20-year-old woman were made at their home addresses in London, Staffordshire and the West Midlands, with support from West Midlands Regional Organised Crime Unit (Rocu) and the East Midlands Special Operations Unit.

The four are suspected of offences under the Computer Misuse Act of 1990, blackmail, money laundering and participating in the activities of an organised crime group. A number of electronic devices have been seized for forensic analysis.

The attacks, which unfolded in the space of around 10 days during the spring, saw cyber criminals gain access to the victimised retailers’ systems via social engineering tactics, potentially involving a common third-party supplier. For M&S, it resulted in the suspension of online shopping and disruption to food deliveries as IT security staff worked overtime and slept in the office at the height of the chaos. Nearly three months on, the retailer has still not made a full recovery. Co-op and Harrods, meanwhile, proved to be somewhat more resilient and were affected to a lesser degree.

“Since these attacks took place, specialist NCA cyber crime investigators have been working at pace and the investigation remains one of the agency’s highest priorities,” said NCA National Cyber Crime Unit deputy director Paul Foster.

“Today’s arrests are a significant step in that investigation but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice,” he said.

Given the ongoing and highly vulnerable nature of its investigation, which spans multiple law enforcement agencies from other countries, the NCA is playing its cards close to its chest, and for this reason further details of the arrests are more limited than usual.

Computer Weekly understands all four individuals – none of whom can be named at the present time – are considered vulnerable and present various concerns from a safeguarding perspective. Additionally, none of them have yet been charged or convicted or any offences, and their right to a fair trial is sacrosanct.

Although the arrests are all linked to the three distinct attacks, a firm attribution to the cyber crime collective that has been widely linked to the incidents cannot be made at this time, and nor should any link to any other recent attacks yet be inferred.

Positive development

The NCA thanked all three organisations, M&S, Co-op and Harrods, for their support of the wider investigation that has led to this point.

“Hopefully, this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process. The NCA and policing are here to help,” said Foster.

Following candid evidence presented by M&S chairman Archie Norman before a Parliamentary sub-committee this week, Foster told Computer Weekly that he wanted to encourage more open dialogue around cyber attacks.

“It was good to see Archie Norman speak so openly,” he said. “I do welcome the policy narrative, the public narrative and the discussion, and I hope that is something that my team and others can use going forwards to help keep the public safer from cyber crime in the future.”

Charles Carmakal, chief technology officer for Mandiant Consulting at Google Cloud, who has been investigating the string of cyber attacks as they unfolded, hailed a “significant win” in the fight against the hackers.

“Their aggressive social engineering tactics and relentless pursuit of access have proven particularly challenging for many defenders and resulted in considerable damage to organisations in the UK and US,” said Carmakal.

“This action by law enforcement underscores the critical importance of international collaboration in combating cyber crime. Previous arrests have impacted their operations, causing a significant lull in activity. This is a critical window for organisations to fortify their defenses against this collective.”

Read more on this story

  • 22 April 2025: A cyber attack at M&S has caused significant disruption to customers, leaving them unable to make contactless payments or use click-and-collect services.
  • 24 April: M&S is still unable to provide contactless payment or click-and-collect services amid a cyber attack that it says has forced it to move a number of processes offline to safeguard its customers, staff and business.
  • 25 April: M&S shuts down online sales as it works to contain and mitigate a severe cyber attack on its systems.
  • 29 April: An infamous hacking collective may have been behind the ongoing cyber attack on M&S that has crippled systems at the retailer and left its ecommerce operation in disarray.
  • 30 April: A developing cyber incident at Co-op has forced the retailer to pull the plug on some of its IT systems as it works to contain the attack.
  • 1 May: Co-op tells staff to stop using their VPNs and be wary that their communications channels may be being monitored, as a cyber attack on the organisation continues to develop.
  • 1 May: Harrods confirms it is the latest UK retailer to experience a cyber attack, shutting off a number of systems in an attempt to lessen the impact.
  • 2 May: The National Cyber Security Centre confirms it is providing assistance to M&S, Co-op and Harrods as concerns grow among UK retailers.
  • 7 May: No end is yet in sight for UK retailers subjected to apparent ransomware attacks.
  • 13 May: M&S is instructing all of its customers to change their account passwords after a significant amount of data was stolen in a DragonForce ransomware attack.
  • 14 May: Google’s threat intel analysts are aware of a number of in-progress cyber attacks against US retailers linked to the same gang that supposedly attacked M&S and Co-op in the UK.
  • 20 May: Cold chain services provider Peter Green Chilled, which supplies the likes of Aldi, Sainsbury’s and Tesco, has been forced to halt operations after succumbing to a ransomware attack.
  • 11 June: So-called Black Swan events expose the blind spots in even the most sophisticated forecasting models, signaling a need to rethink how businesses, and those investing in them, quantify and prepare for cyber risk.
  • 13 June: The recent spate of cyber attacks on UK retailers has to be a wake-up call to build more cyber resilience into digital supply chains and fortify against social engineering attacks.
  • 17 June: Following a series of high-profile attacks on prominent retailers and consumer brands, a group of criminal hackers appears to be expanding their targeting to the insurance sector.
  • 20 June: The UK’s Cyber Monitoring Centre has published its first in-depth assessment of a major incident, reflecting on the impact of and lessons learned from cyber attacks on M&S and Co-op.
  • 27 June: Multiple reports are emerging of cyber attacks on airlines – Google Cloud’s Mandiant believes them to be linked.
  • 2 July: Australian flag carrier Qantas is investigating significant data theft of personal information for up to 6 million customers after a third-party platform used by its call centre was compromised.
  • 2 July: A developing cyber attack at Australian airline Qantas that started at a third-party call centre is already being tentatively attributed to the same gang that hit UK retailers. Find out more and learn about the next steps for those affected.
  • 8 July: The government should extend ransomware reporting mandates to businesses to help gather more intelligence and better support victims, says M&S chairman Archie Norman.
  • 9 July: Australian flag carrier begins notifying millions of individuals after a cyber attack on a call centre, confirming that while financial and passport details are safe, a significant volume of other personal information was compromised.

Read more on Hackers and cybercrime prevention