The UK’s National Crime Agency (NCA) has arrested four people believed to be linked to the cyber attacks on Marks and Spencer (M&S), Co-op, and Harrods.
In a statement, the crime agency said two 19-year-old men, a 17-year-old boy, and a 20-year-old woman were arrested at locations in the West Midlands and London on suspicion of offences committed under the Computer Misuse Act, as well as blackmail, money laundering, and involvement in organized crime.
The NCA said the suspects remain in custody for questioning by officers from its National Cyber Crime Unit.
Electronic devices belonging to the suspects have been seized as part of the operation and are awaiting digital forensic analysis, the agency confirmed.
Commenting on the arrests, deputy director Paul Foster, head of the NCA’s National Cyber Crime Unit, said the arrests mark a “significant step in the investigation into the attacks which rocked UK retailers earlier this year.
“Since these attacks took place, specialist NCA cyber crime investigators have been working at pace and the investigation remains one of the agency's highest priorities,” he said.
"Cyber attacks can be hugely disruptive for businesses and I'd like to thank M&S, Co-op and Harrods for their support to our investigations,” Foster added.
“Hopefully this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process. The NCA and policing are here to help."
UK retailers shaken by disruptive attacks
The alleged offenses took place in April 2025, when all three retailers were hit by cyber attacks. The impacts on the businesses and their customers have been quite different, however.
The experience of M&S, which was the first to report suffering an incident, has been particularly drawn out. In the immediate wake of the incident, the retailer was forced to pause online orders and click and collect services for customers across the UK.
M&S resumed orders in early June, six weeks after the attack. The cost of recovery is expected to range in the hundreds of millions for the company.
The alleged attack on M&S was followed quickly by disruption at Co-op, which left customers across the UK facing empty shelves. Those living in parts of the Scottish Highlands and Islands were particularly badly affected as these were often the only food retailers in the area.
Harrods, the third alleged target, only experienced minor disruption for a limited time, however.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Why does the US continue to grapple with full-fibre rollout?In-depth Despite increased remote work and AI access demands, full-fiber rollout in the US continues to fall short
-
Enterprises need to sharpen up on software supply chain securityNews A new report from LevelBlue shows many enterprises are failing on software supply chain security, despite growing risks.
-
Ransomware attacks carry huge financial impacts – but CISO worries still aren’t stopping firms from paying outNews Increased anxiety over ransomware links directly to its devastating impact on business processes and one’s bottom line
-
‘The worst thing an employee could do’: Workers are covering up cyber attacks for fear of reprisal – here’s why that’s a huge problemNews More than one-third of office workers say they wouldn’t tell their cybersecurity team if they thought they had been the victim of a cyber attack.
-
Developers face a torrent of malware threats as malicious open source packages surge 188%News Researchers have identified more than 16,000 malicious open source packages across popular ecosystems
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'News The Hunters International ransomware group is rebranding and switching tactics
-
Using WinRAR? Update now to avoid falling victim to this file path flawNews WinRAR users have been urged to update after a patch was issued for a serious vulnerability.
-
A major ransomware hosting provider just got hit US with sanctionsNews Aeza Group's services were being used for ransomware, infostealers, and disinformation
-
Hackers are using PDFs to impersonate big brands like Microsoft and PayPal in a new threat campaignNews Hackers are increasingly using PDF attachments to impersonate major brands in phishing campaigns, according to new research from Cisco Talos.
-
UK firms are 'sleepwalking' into smart building cyber threatsNews The convergence of operational technology and IT systems is posing serious risks for property firms.
