Four people have been arrested and taken into custody across the UK in a National Crime Agency investigation into the April and May 2025 cyber attacks on Marks & Spencer (M&S), Co-op Group and Harrods.
The arrests of two men aged 19, a third aged 17 and a 20-year-old woman were made at their home addresses in London, Staffordshire and the West Midlands, with support from West Midlands Regional Organised Crime Unit (Rocu) and the East Midlands Special Operations Unit.
The four are suspected of offences under the Computer Misuse Act of 1990, blackmail, money laundering and participating in the activities of an organised crime group. A number of electronic devices have been seized for forensic analysis.
The attacks, which unfolded in the space of around 10 days during the spring, saw cyber criminals gain access to the victimised retailers’ systems via social engineering tactics, potentially involving a common third-party supplier. For M&S, it resulted in the suspension of online shopping and disruption to food deliveries as IT security staff worked overtime and slept in the office at the height of the chaos. Nearly three months on, the retailer has still not made a full recovery. Co-op and Harrods, meanwhile, proved to be somewhat more resilient and were affected to a lesser degree.
“Since these attacks took place, specialist NCA cyber crime investigators have been working at pace and the investigation remains one of the agency’s highest priorities,” said NCA National Cyber Crime Unit deputy director Paul Foster.
“Today’s arrests are a significant step in that investigation but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice,” he said.
Given the ongoing and highly vulnerable nature of its investigation, which spans multiple law enforcement agencies from other countries, the NCA is playing its cards close to its chest, and for this reason further details of the arrests are more limited than usual.
Computer Weekly understands all four individuals – none of whom can be named at the present time – are considered vulnerable and present various concerns from a safeguarding perspective. Additionally, none of them have yet been charged or convicted or any offences, and their right to a fair trial is sacrosanct.
Although the arrests are all linked to the three distinct attacks, a firm attribution to the cyber crime collective that has been widely linked to the incidents cannot be made at this time, and nor should any link to any other recent attacks yet be inferred.
Positive development
The NCA thanked all three organisations, M&S, Co-op and Harrods, for their support of the wider investigation that has led to this point.
“Hopefully, this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process. The NCA and policing are here to help,” said Foster.
Following candid evidence presented by M&S chairman Archie Norman before a Parliamentary sub-committee this week, Foster told Computer Weekly that he wanted to encourage more open dialogue around cyber attacks.
“It was good to see Archie Norman speak so openly,” he said. “I do welcome the policy narrative, the public narrative and the discussion, and I hope that is something that my team and others can use going forwards to help keep the public safer from cyber crime in the future.”
Charles Carmakal, chief technology officer for Mandiant Consulting at Google Cloud, who has been investigating the string of cyber attacks as they unfolded, hailed a “significant win” in the fight against the hackers.
“Their aggressive social engineering tactics and relentless pursuit of access have proven particularly challenging for many defenders and resulted in considerable damage to organisations in the UK and US,” said Carmakal.
“This action by law enforcement underscores the critical importance of international collaboration in combating cyber crime. Previous arrests have impacted their operations, causing a significant lull in activity. This is a critical window for organisations to fortify their defenses against this collective.”
