Close Menu
    Ethical Hacking & Penetration Testing

    UK NCA arrested four people over M&S, Co-op cyberattacks

    HackWatchitBy No Comments5 Mins Read
    UK NCA arrested four people over M&S, Co-op cyberattacks

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Pierluigi Paganini
    July 10, 2025

    NCA arrested four people in UK, including three teens, over cyberattacks on M&S, Co-op, and Harrods, per its investigation.

    The British National Crime Agency (NCA) arrested four individuals in the country following an investigation into the recent wave of attacks targeting Co-op, M&S, and Harrods.

    On July 10, Law enforcement arrested 4 youths, aged 17–20, in London and West Midlands, the police also seized their devices for evidence. One suspect is Latvian.

    “Four people have been arrested in the UK as part of a National Crime Agency investigation into cyber attacks targeting M&S, Co-op and Harrods. Two males aged 19, another aged 17, and a 20-year-old female were apprehended in the West Midlands and London this morning (10 July) on suspicion of Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group.” reads the press release published by NCA. “All four were arrested at their home addresses and had their electronic devices seized for digital forensic analysis.”

    The four suspects now face charges of Computer Misuse Act offenses, blackmail, money laundering, and participation in organized crime.

    “They remain in custody for questioning by officers from the NCA’s National Cyber Crime Unit in relation to the three attacks, which took place in April this year.” continues the press release.

    The cyberattacks on British retailers caused massive disruptions and huge financial losses to the businesses.

    “Today’s arrests are a significant step in that investigation but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice.” said Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit. “Cyber attacks can be hugely disruptive for businesses and I’d like to thank M&S, Co-op and Harrods for their support to our investigations. Hopefully this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process. The NCA and policing are here to help.”

    In June, the Cyber Monitoring Centre (CMC) labeled the cyberattacks on Marks & Spencer and Co-op as a Category 2 systemic event, estimating losses between £270M and £440M.

    In early May, the attackers behind the Co-op cyberattack, who go online with the name DragonForce, told the BBC that they had stolen data from the British retail and provided proof of the data breach.

    The DragonForce group also claimed the attack on M&S and told BBC that they have attempted to hack Harrods.

    The threat actors accessed the company’s internal Teams, leaked staff credentials and 10,000 customer records containing Co-op membership card numbers, names, home addresses, emails, and phone numbers. BBC pointed out that after having verified data, they destroyed it.

    DragonForce ransomware group scrambles victims’ data and demands a ransom; they are also known to steal victims’ data. DragonForce runs a cybercrime affiliate service, letting affiliates use its tools to launch attacks and extort victims. The group manages both Telegram and Discord channels, cybersecurity experts believe it is composed of English-speaking teenagers.

    The Cyber Monitoring Centre (CMC) assessed the Marks & Spencer and Co-op cyberattacks as a single major incident due to shared timing, a common threat actor, and the same techniques, tactics and procedures used by threat actors. The attacks that hit Harrods and other retailers around the same time weren’t included, as too little is known about those cases. The CMC aims to use such analysis to strengthen the UK’s cyber resilience.

    “The CMC has classified this incident as a Category 2 systemic event based on the categorisation matrix as defined in our methodology. This reflects its substantial financial impact and the economic reverberations across third-party suppliers, franchisees, and supporting services.” reads the report published by CMC.

    The CMC labeled the M&S and Co-op attacks as “narrow and deep,” with major disruption to those firms and ripple effects on partners. Unlike “shallow and broad” events, the impact here was limited to a few but severe. Most costs came from business disruption, not just IT damage. Signs point to the same threat actor using social engineering and stolen credentials to breach both companies.

    “Using available data and established modelling, the CMC estimates the total financial impact of the event across affected parties at £270 million – £440 million.” continues the report. “This includes:

    • Legal and notification costs for M&S and Co-op”
    • Direct business interruption costs resulting from lost sales (the bulk of the cost) for M&S, Co-op, franchisees, and suppliers
    • Incident response and IT restoration costs for M&S and Co-op

    The CMC estimated the M&S and Co-op cyberattack damage is mainly from business disruption. M&S alone expects a £300M hit in 2025/26. Online sales losses reached £1.3M per day before limited service resumed. Consumer spending dropped 22% at M&S and 11% at Co-op. The researchers state rural areas relying on Co-op saw notable disruption. The attack exposed retail supply chain and IT fragility. Supplier strain and costly IT rebuilds added to the impact.

    Follow me on Twitter: @securityaffairs and Facebook and Mastodon

    Pierluigi Paganini

    (SecurityAffairs – hacking, M&S)

    Share.

    Related Posts

    Comments are closed.