Authorities have arrested four individuals in connection with the recent cyber-attacks that disrupted operations at M&S and the Co-op.
According to the National Crime Agency (NCA), a 20-year-old woman was taken into custody in Staffordshire, while three men, aged 17 to 19, were apprehended in London and the West Midlands.
The arrests were made on suspicion of offenses under the Computer Misuse Act, as well as allegations of blackmail, money laundering, and involvement in organized criminal activity.
Law enforcement officials executed early morning raids at the suspects’ residences on Thursday, seizing electronic devices as part of the investigation.
One of the suspects, a 19-year-old man, is a Latvian national, while the remaining individuals are from the UK.
Eyewitnesses described a significant police presence in the quiet Staffordshire neighborhood where the 20-year-old woman was arrested.
Residents reported that numerous NCA officers, some wearing balaclavas, arrived early Thursday and forcibly entered a family home. Authorities were later observed removing a large quantity of electronic equipment.
Paul Foster, head of the NCA’s National Cyber Crime Unit, characterized the arrests as a “significant step” in the ongoing investigation.
“Our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice,” he stated.
The cyber-attacks, which commenced in mid-April, caused substantial disruptions for both retailers.
The Co-op experienced weeks of depleted stock on its shelves, while M&S anticipates operational impacts extending into late July, with full restoration of IT systems not expected until October or November.
The chairman of M&S informed Members of Parliament this week that the cyber-attack felt like an attempt to destroy the business, estimating a potential loss of £300 million in profits.
Harrods was also targeted in a similar attack, although it experienced less operational impact.
M&S was the initial target, with a substantial amount of sensitive customer and employee data being stolen.
The perpetrators also deployed ransomware, a type of malicious software that encrypts a company’s IT networks, rendering them unusable unless a ransom is paid.
The BBC revealed that the hackers had sent an offensive email to the M&S CEO, demanding payment.
Shortly after the breach at M&S, the Co-op was also targeted, with criminals gaining access to and stealing the private data of millions of customers and employees.
The Co-op was compelled to acknowledge the data breach after hackers contacted the BBC with evidence suggesting the company was downplaying the extent of the cyber-attack.
The BBC later learned from the criminals that the company disconnected the internet from its IT networks just in time to prevent the deployment of ransomware, averting even greater disruption.
Soon after the Co-op announced its attack, luxury retailer Harrods disclosed that it had also been targeted and had been forced to disconnect IT systems from the internet to prevent further intrusion.
The individuals arrested include a 17-year-old British male from the West Midlands, a 19-year-old British man from London, a 19-year-old Latvian male from the West Midlands, and a 20-year-old British woman from Staffordshire.
The NCA stated that its operation was supported by officers from the West Midlands Regional Organised Crime Unit and the East Midlands Special Operations Unit.
Sign up for our Tech Decoded newsletter to follow the world’s top tech stories and trends. Outside the UK? Sign up here.
The State Department says it is investigating the incident, in which an “unknown individual” impersonated Rubio through the app Signal.
It comes amid a growing threat of cyber-attacks, including fraud, ransomware, and hostile activity.
It comes after the firm announced a £2m investment in new software to help prevent cyber attacks.
The sportswear giant says criminals accessed its systems through a “third-party customer service provider.”
M&S said earlier this week that the hackers got into systems via a third party – but did not say who that was.