Marks & Spencer Cyber Attack – UK Police Arrest Four Suspects

British authorities have arrested four individuals in connection with a series of high-profile cyber-attacks that caused months of disruption and significant financial losses for leading UK retailers Marks & Spencer (M&S), Co-op, and Harrods. The arrests, carried out in coordinated early morning operations on Thursday, mark a significant step in the ongoing investigation led by the National Crime Agency (NCA) into an April cyberattack spree that shook the British retail sector and reverberated internationally.

The suspects, aged between 17 and 20, include three males—two aged 19 and one 17—and a 20-year-old woman. British police apprehended the suspects at their residences in the West Midlands, London, and Staffordshire. One of the 19-year-old males is a Latvian national; the others are British. All four remain in custody and are being investigated for alleged offences including violations of the Computer Misuse Act, blackmail, money laundering, and participation in an organised crime group. Authorities also seized multiple electronic devices during the arrests, which are now being examined for forensic evidence.

The NCA’s operation was supported by regional cybercrime and organised crime units from both the West Midlands and East Midlands, highlighting the collaborative approach to tackling sophisticated cybercriminal activity. The investigation is ongoing, with British authorities working alongside international partners to identify further suspects and uncover the full extent of the criminal network involved.

The wave of cyber-attacks began in mid-April and targeted some of the UK’s most recognised high street names. Marks & Spencer, one of the first and hardest-hit companies, was forced to take its online operations offline, suspending orders on its website, app, and telephone sales channels for six weeks starting from Easter Sunday. The retailer’s chairman reported to lawmakers that the incident resulted in an estimated loss of £300 million in profits, underscoring the severe financial and operational impact. Stores faced product shortages, while employees were forced to revert to manual processes, contributing to significant food wastage and further business inefficiencies.

Investigations revealed that the attack on M&S stemmed from a breach enabled by social engineering techniques, which manipulated a third-party supplier to gain unauthorised access to the company’s systems. This access allowed the perpetrators to infiltrate IT networks, deploy ransomware, and exfiltrate sensitive customer and employee data. The criminals used offensive emails to demand ransom payments, further disrupting the company’s operations and security posture.

The Co-op was also severely affected. The attack compromised back office and call centre systems, forcing the retailer to shut down parts of its IT infrastructure in a bid to contain the threat. While Co-op stores managed to remain open for customers, the aftershocks of the incident were visible in the form of empty shelves and disrupted payment systems, as well as the theft of personal data belonging to Co-op members. The company acknowledged that some of the attack’s true extent only came to light after hackers contacted media organisations directly with evidence of their exploits. Rapid intervention by IT staff, including disconnecting certain networks from the internet, prevented an even larger ransomware deployment and further damage.

Luxury department store Harrods also confirmed that it had been targeted in the spree. While the operational impact was less severe than for M&S or Co-op, Harrods was forced to temporarily restrict internet access across its sites as a defensive measure to limit the hackers’ reach.

The method of attack in these incidents involved a combination of social engineering and technical exploitation, which allowed the perpetrators to bypass security measures and deploy ransomware, effectively locking companies out of their own networks unless a ransom was paid. The attacks not only resulted in significant financial losses but also placed millions of customers’ and employees’ personal data at risk.

The investigation into these attacks is ongoing, with authorities examining possible links to international hacker groups known for their aggressive tactics and complex cyber operations. The so-called Scattered Spider group, notorious for its decentralised structure and social engineering campaigns, has been linked by cybersecurity analysts to the attacks on UK retailers as well as other incidents affecting U.S.-based companies in the insurance and aviation sectors. While the NCA has not officially confirmed whether the four individuals arrested are associated with Scattered Spider, the group’s methods—using deception to extract credentials from third parties and deploy ransomware—closely match the tactics observed in the April attacks.