Arrests made after M&S, Co-op and Harrods cyber attacks
Four people, including three teenagers and a 20-year-old woman, have been arrested in connection with a wave of cyber attacks that crippled M&S, the Co-op and Harrods.
The group allegedly unleashed ransomware that stole millions of customer records, shut down online orders and left supermarket shelves bare.
The National Crime Agency (NCA) said the individuals were arrested early on Thursday morning on suspicion of blackmail, money laundering, offences linked to the Computer Misuse Act and participating in the activities of an organised crime group.
The arrests included a 17-year-old British man from the West Midlands, a 19-year-old Latvian man from the West Midlands, a 19-year-old British man from London and a 20-year-old British woman from Staffordshire.
All four were arrested from their home addresses and remain in custody. The police also seized electronic devices from the properties.
These arrests will be a “massive blow to the gang of cybercriminals involved in these attacks” Jake Moore, cybersecurity advisor at ESET said, adding that while “it won’t eradicate future attacks… it will disrupt criminal networks”.
“It’s extremely difficult to catch cybercriminals, primarily due to the tools on offer to obfuscate their involvement.”
“It shows the successes of law enforcement agencies working together in collaboration and how this remains the best way in catching digital criminals,” Moore said.
Household names targeted in cyber attacks
A swathe of UK firms – including M&S, Harrods and the Co-op – have been attacked by cyber criminals this year, with Marks and Spencer taking a £300m loss due to disruption.
Meanwhile, Co-op saw payments disrupted and shelves become bare from May because of the fallout of its cyber attack.
Hackers also stole Co-op members’ personal data, such as names and contact details.
Harrods restricted internet access across its websites in May following attempts to gain unauthorised access to its systems.
The arrests mark a breakthrough in police efforts to investigate the attacks, which had been linked to the Scattered Spider group of hackers.
Moore warned that locating “enough solid evidence” to produce in court and prosecute is “the most difficult aspect in any cybercrime investigation… it will be vital that these agencies work thoroughly towards locating outright proof of their involvement.”
Paul Foster, head of the NCA’s National Cyber Crime Unit, said: “Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the agency’s highest priorities.
“Today’s arrests are a significant step in that investigation but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice.
“Hopefully this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process.”
An M&S spokeswoman said: “We welcome this development and thank the NCA for its diligent work on this incident.”
A Co-op spokeswoman said: “Hacking is not a victimless crime.
“Throughout this period, we have engaged fully with the NCA, and relevant authorities and are pleased on behalf of our members to see this had led to these arrests today.”
M&S chair brands attack ‘tramatic’
The chair of M&S, Archie Norman, appeared at a select committee earlier this week, calling for mandatory reporting on cyber incidents.
“It’s not an overstatement to describe it as traumatic,” Norman said. “We’re still in the rebuild mode, and we will be for some time to come.”
M&S has largely restored online services, but doesn’t expect to fully return to normal until August.
“It’s very rare to have a criminal act in another country or in this country… essentially trying to destroy your business,” Norman said. “It’s like an out of body experience.”
Norman called for mandatory reporting on cyber attacks, supported by Professor Ciaran Martin, the founding director of the national cyber security centre (NCSC).
“M&S can and have looked after themselves. They’ve made their announcements; they’re still trading well. But the criminals have given us a playbook here […] that is the worry,” Martin said.
A ‘youth crisis driven by gaming’
One boss described the recent wave of attacks as a “youth crisis… kids are being groomed online by criminal gangs, drawn in through gaming forums and Discord servers.”
It starts with curiosity, and before long, they’re doing real harm to real people without fully understanding the consequences. We talk a lot about the damage cybercriminals cause, but we rarely talk about who the criminals are. Behind every major breach is often a teenager, and behind them is a story of missed opportunity,” Fergus Hay, CEO at Hacking Games said.
“Gaming is the gateway… it’s where cybercrime culture thrives because no one is offering them an alternative. These kids will either become generational liabilities or generational assets.
“This is a social emergency. If we want to stop this from happening again, we need to meet kids where they are – in games, online, in the community. That means making cybersecurity feel relevant and giving them real opportunities to belong, contribute, and build something meaningful. We want to channel curiosity, not criminalise it.”