Four Arrested in Connection to Cyber-Attacks on M&S and Co-op

Key Takeaways:

  • Four individuals aged 17 to 20 have been arrested in the UK and Latvia for suspected involvement in cyber-attacks against M&S and Co-op.
  • The attacks caused widespread operational disruption, including empty shelves and compromised IT systems, with M&S estimating losses of £300 million.
  • Charges include computer misuse, blackmail, money laundering, and participation in an organized crime group.
  • Ransomware was deployed against M&S, while Co-op managed to isolate its systems in time to prevent encryption.
  • The investigation is ongoing, with the National Crime Agency (NCA) working alongside international partners.

Authorities in the UK have arrested four individuals suspected of carrying out cyber-attacks on major British retailers Marks & Spencer and Co-op. The arrests mark a major development in a months-long investigation into one of the most disruptive waves of cyber incidents to hit the UK retail sector this year.

The National Crime Agency (NCA) confirmed that a 20-year-old woman was apprehended in Staffordshire, while three males—aged 17 to 19—were detained in coordinated raids across London and the West Midlands. One of the suspects, a 19-year-old, is a Latvian national; the remaining three are British citizens.

According to the NCA, the arrests were made under suspicion of multiple offences, including violations of the Computer Misuse Act, blackmail, money laundering, and involvement in an organized crime group. Electronic devices were seized during the early morning raids.

Paul Foster, head of the NCA’s National Cyber Crime Unit, described the arrests as “a significant step” in the broader investigation. He noted that efforts are continuing in collaboration with international partners to identify and prosecute others involved.

The cyber-attacks first came to light in April when M&S disclosed a breach that led to the theft of significant customer and employee data. The hackers deployed ransomware to disable IT systems and followed up with a threatening email to the company’s chief executive demanding a ransom. The attack rendered large portions of the company’s network inoperable and is expected to impact operations through the fall.

The company’s chairman told UK lawmakers earlier this week that the incident appeared to be an attempt to “destroy the business.” M&S has estimated that the total financial impact of the breach could approach £300 million in lost profits.

Shortly after M&S was attacked, the Co-op reported its own breach. Initially downplayed by the company, the breach was later confirmed after the attackers contacted media outlets directly and provided evidence. Unlike M&S, the Co-op managed to disconnect its systems from the internet before ransomware could be deployed, potentially limiting the damage.

However, Co-op still suffered substantial data loss, including information belonging to millions of customers and employees. Shelves across several stores were left bare for weeks as the company worked to bring systems back online.

Luxury department store Harrods was also targeted in the same period, though it managed to contain the incident without experiencing major disruption. Harrods admitted it had taken preventative measures, including disconnecting IT systems from external networks.

The arrested individuals are:

  • A 17-year-old British male from the West Midlands
  • A 19-year-old British male from London
  • A 19-year-old Latvian male residing in the West Midlands
  • A 20-year-old British woman from Staffordshire

Residents near the Staffordshire arrest location described a large police presence and confirmed that NCA officers removed a substantial amount of electronic evidence. Eyewitnesses noted the scale of the operation, with officers in tactical gear arriving early in the morning and forcibly entering the residence.

The NCA said its enforcement action was supported by the West Midlands Regional Organised Crime Unit and the East Midlands Special Operations Unit.

These arrests follow earlier speculation by law enforcement that the hackers were a loosely connected group of young individuals based in the US and UK. Investigators believe that the group had been probing several British retailers in a coordinated series of attacks, motivated by both financial gain and notoriety.

The investigation underscores a growing trend in the cyber threat landscape: opportunistic, highly disruptive attacks targeting legacy infrastructure across major sectors. In these cases, ransomware wasn’t always deployed successfully, but the threat alone—and the risk of further exposure—caused significant operational damage.

The incidents also spotlight the evolving tactics of threat actors, who now bypass corporate disclosure channels by contacting journalists directly to amplify the impact and force public acknowledgement. In both the M&S and Co-op cases, hackers reached out to reporters with evidence of stolen data, undermining initial containment narratives.

For businesses, the takeaway is clear: cybersecurity preparation must include both technical hardening and crisis communications planning. The rapid escalation from breach to public pressure, combined with regulatory expectations around transparency, has changed how organizations must respond.

As investigators continue analyzing seized devices and tracing financial flows, it’s likely more details will emerge about the structure of the group and the methods used to exploit these high-profile targets. For now, the NCA considers these arrests a breakthrough, but not the end of the case.

Learn how AI Agents can supercharge your company’s profits and productivity at TMC’s AI Agent Event, Sept 29-30, 2025 in DC.

If you liked this post, you’ll love one of the the leading global business communications and technology events since 1999, the ITEXPO #TECHSUPERSHOW, Feb 10-12, 2026 Fort Lauderdale, Florida.

Don’t forget the collocated MSP Expo – just for managed service providers!

Aside from his role as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 10-12, 2026, Rich Tehrani is CEO of RT Advisors and a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.

The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.

The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.

Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing


 

Loading
Share via
Copy link
Powered by Social Snap