Four Arrested in Connection With M&S & Co-op Cyberattacks

Four individuals, including three teenagers, have been arrested in connection with cyberattacks targeting prominent British retailers including Marks & Spencer, Co-op and Harrods earlier this year.

The National Crime Agency (NCA) confirmed the arrests of two 19-year-old men, a 17-year-old boy and a 20-year-old woman at locations in the West Midlands, Staffordshire and London on Thursday morning.

The suspects face allegations including breaches of the Computer Misuse Act, blackmail, money laundering and involvement in organised crime.

The investigation initially pointed towards international hacking syndicates. However, the NCA has since shifted focus to a group known as Scattered Spider, characterised by its members being predominantly English-speaking individuals located in the UK and US.

The arrests

The arrests, executed in Thursday’s early hours, were part of a coordinated effort led by the NCA's National Cyber Crime Unit. The operation was supported by the West Midlands Regional Organised Crime Unit and the East Midlands Special Operations Unit.

During the raids, electronic devices were confiscated. Residents in Staffordshire noted a substantial police presence, including NCA officers in balaclavas forcefully entering a family residence.

Paul Foster, the head of the NCA's National Cyber Crime Unit, commented on the operation, stating the arrests mark "a significant step" in their ongoing investigation.

"Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the agency's highest priorities," he said. "Our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice."

The impact on the victims

The cyberattacks, which began in mid-April, caused huge disruptions for the retailers involved.

M&S was particularly hard hit, with hackers accessing vast amounts of sensitive customer and staff data and deploying ransomware to paralyze the company’s IT systems.

This resulted in the closure of M&S's online store for almost seven weeks, with financial losses estimated to reach US$376m in lost profits.

Days later, Co-op experienced a similar breach, as criminals accessed personal data of millions of customers and staff. The breach went public when hackers shared evidence with media outlets, contradicting the retailer's initial downplaying of the incident.

However, by swiftly disconnecting their IT systems from the internet, Co-op effectively derailed a potential ransomware deployment, thereby mitigating further disruption.

Although luxury retailer Harrods also fell victim to attack by May 1, the impact on their operations was less severe. The store restricted internet access to thwart unauthorized system access.

A bad year for cybersecurity

The arrests followed statements from M&S Chair Archie Norman, who disclosed to MPs that two other substantial British companies suffered undisclosed cyberattacks this year.

Norman described the M&S cyber event as "traumatic," portraying it as an assault aimed at crippling the business.

M&S anticipates ongoing operational disruptions until late July, with full IT system recovery not expected until October or November.

"Cyber-attacks can be hugely disruptive for businesses, and I'd like to thank M&S, Co-op and Harrods for their support to our investigations," Norman commented. "Hopefully this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process."

According to Elliot Dellys, CEO of Australian firm Phronesis Security, Scattered Spider's unique structure has complicated enforcement efforts.

"Rather than being composed of a centralised command and control structure like Russian ransomware groups, it is believed to be composed of a disparate group of young hackers living in the United States and United Kingdom," Dellys explained. "This makes effective action by law enforcement to take down the group, and its infrastructure, difficult to coordinate and execute."

M&S and Co-op respond

In response to the arrests, M&S and Co-op spokespeople released statements.

"We welcome this development and thank the NCA for its diligent work on this incident," an M&S representative asserted.

Echoing this sentiment, a Co-op spokesperson stated, "Hacking is not a victimless crime. Throughout this period, we have engaged fully with the NCA and relevant authorities, and are pleased on behalf of our members to see this had led to these arrests today."