Four suspects have been arrested in connection with the major cyber attacks that disrupted operations at UK retailers Marks & Spencer (M&S) and the Co-op, the National Crime Agency (NCA) has confirmed. The cyber attacks, which began in mid-April, crippled IT systems, leaked sensitive customer data, and are expected to cost M&S an estimated £300 million in lost profits.
The NCA stated that a 20-year-old woman was arrested in Staffordshire, while three males aged between 17 and 19 were apprehended in London and the West Midlands. Among them is a 19-year-old Latvian national residing in the UK. The rest are British citizens.
Cyber Crime Charges and Seized Devices
All four suspects were detained at their homes during early morning raids on Thursday. They face serious charges under the Computer Misuse Act, including blackmail, money laundering, and involvement in an organised crime group. Police also seized various electronic devices believed to be connected to the cyber attacks.
According to Paul Foster, head of the NCA’s National Cyber Crime Unit, the arrests mark a “significant step” in a wider international investigation. “Our work continues, alongside partners in the UK and overseas, to bring those responsible to justice,” he said.
Ransomware and Data Breaches Disrupt Retail Operations
The cyber attacks were part of a coordinated wave targeting several UK retailers. M&S was the first to be hit, suffering a major breach of customer and employee data. Hackers deployed ransomware—malicious software that encrypted internal systems and demanded payment for restoration. An offensive email was reportedly sent directly to the M&S CEO demanding a ransom.
Shortly after, the Co-op confirmed it had also fallen victim to a similar attack. Millions of customers and employees had their data stolen. According to the BBC, the Co-op only narrowly avoided worse damage by disconnecting its IT systems from the internet just in time to block a full-scale ransomware deployment.
M&S executives told MPs this week that the attack felt like an “attempt to destroy the business.” Some of its IT systems are not expected to return to full operation until October or November.
Harrods Also Targeted
Luxury department store Harrods also confirmed it had been targeted, though with less severe consequences. Like Co-op, Harrods disconnected its IT systems from the internet to thwart the attack before it could escalate.
Investigation Ongoing
The arrests were carried out with assistance from the West Midlands Regional Organised Crime Unit and the East Midlands Special Operations Unit. The NCA’s investigation into the cyber attacks on UK businesses remains ongoing, with a focus on tracking international links and dismantling the organised group behind the attacks.
