Arrests made in hunt for hackers behind cyber attacks on M&S and Co-op
The suspects remain in custody for questioning by officers from the NCA's National Cyber Crime Unit


The UK’s National Crime Agency (NCA) has arrested four people believed to be linked to the cyber attacks on Marks and Spencer (M&S), Co-op, and Harrods.
In a statement, the crime agency said two 19-year-old men, a 17-year-old boy, and a 20-year-old woman were arrested at locations in the West Midlands and London on suspicion of offences committed under the Computer Misuse Act, as well as blackmail, money laundering, and involvement in organized crime.
The NCA said the suspects remain in custody for questioning by officers from its National Cyber Crime Unit.
30% off Keeper Security's Business Starter and Business plans
Keeper Security is trusted and valued by thousands of businesses and millions of employees. Why not join them and protect your most important assets while taking advantage of this special offer?
Electronic devices belonging to the suspects have been seized as part of the operation and are awaiting digital forensic analysis, the agency confirmed.
Commenting on the arrests, deputy director Paul Foster, head of the NCA’s National Cyber Crime Unit, said the arrests mark a “significant step in the investigation into the attacks which rocked UK retailers earlier this year.
“Since these attacks took place, specialist NCA cyber crime investigators have been working at pace and the investigation remains one of the agency's highest priorities,” he said.
"Cyber attacks can be hugely disruptive for businesses and I'd like to thank M&S, Co-op and Harrods for their support to our investigations,” Foster added.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“Hopefully this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process. The NCA and policing are here to help."
UK retailers shaken by disruptive attacks
The alleged offenses took place in April 2025, when all three retailers were hit by cyber attacks. The impacts on the businesses and their customers have been quite different, however.
The experience of M&S, which was the first to report suffering an incident, has been particularly drawn out. In the immediate wake of the incident, the retailer was forced to pause online orders and click and collect services for customers across the UK.
M&S resumed orders in early June, six weeks after the attack. The cost of recovery is expected to range in the hundreds of millions for the company.
The alleged attack on M&S was followed quickly by disruption at Co-op, which left customers across the UK facing empty shelves. Those living in parts of the Scottish Highlands and Islands were particularly badly affected as these were often the only food retailers in the area.
Harrods, the third alleged target, only experienced minor disruption for a limited time, however.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
Why does the US continue to grapple with full-fibre rollout?
In-depth Despite increased remote work and AI access demands, full-fiber rollout in the US continues to fall short
-
Enterprises need to sharpen up on software supply chain security
News A new report from LevelBlue shows many enterprises are failing on software supply chain security, despite growing risks.
-
Ransomware attacks carry huge financial impacts – but CISO worries still aren’t stopping firms from paying out
News Increased anxiety over ransomware links directly to its devastating impact on business processes and one’s bottom line
-
‘The worst thing an employee could do’: Workers are covering up cyber attacks for fear of reprisal – here’s why that’s a huge problem
News More than one-third of office workers say they wouldn’t tell their cybersecurity team if they thought they had been the victim of a cyber attack.
-
Developers face a torrent of malware threats as malicious open source packages surge 188%
News Researchers have identified more than 16,000 malicious open source packages across popular ecosystems
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Using WinRAR? Update now to avoid falling victim to this file path flaw
News WinRAR users have been urged to update after a patch was issued for a serious vulnerability.
-
A major ransomware hosting provider just got hit US with sanctions
News Aeza Group's services were being used for ransomware, infostealers, and disinformation
-
Hackers are using PDFs to impersonate big brands like Microsoft and PayPal in a new threat campaign
News Hackers are increasingly using PDF attachments to impersonate major brands in phishing campaigns, according to new research from Cisco Talos.
-
UK firms are 'sleepwalking' into smart building cyber threats
News The convergence of operational technology and IT systems is posing serious risks for property firms.