What Next as Arrests Made Over UK Supermarket Cyberattacks?

Four people including three teenagers have been arrested in connection with cyberattacks that targeted major British retailers Marks & Spencer, Co-op and Harrods earlier this year.

The National Crime Agency confirmed that two 19-year-old men, a 17-year-old boy and a 20-year-old woman were detained at addresses across the West Midlands, Staffordshire and London on Thursday morning.

All four suspects were apprehended on suspicion of breaching the Computer Misuse Act, blackmail, money laundering and participating in the activities of an organised crime group.

While initial suspicions pointed to foreign hacking syndicates, the National Crime Agency (NCA) indicated that it was investigating a group known as Scattered Spider, consisting primarily of English speakers, often located across the UK and US.

Four arrests made in the UK

The arrests were carried out in the early hours of Thursday as part of a coordinated operation involving the NCA's National Cyber Crime Unit, supported by officers from the West Midlands Regional Organised Crime Unit and the East Midlands Special Operations Unit.

Electronic devices were seized during the raids, with neighbours in Staffordshire describing a large police operation involving dozens of NCA officers, some wearing balaclavas, who smashed down the door of a family home.

Paul Foster, head of the NCA's National Cyber Crime Unit, said the arrests represented “a significant step” in the investigation.

“Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the agency's highest priorities,” Paul says.

“Our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice.”

The impact on the retailers

The cyber-attacks began in mid-April and caused substantial disruption to the affected retailers.

M&S was the first target, with hackers stealing vast amounts of private customer and staff data whilst deploying ransomware that scrambled the company's IT networks.

The attack forced the closure of M&S's online store for nearly seven weeks, with the retailer estimating the incident will cost US$376m in lost profits.

Co-op was targeted days later, with criminals breaching systems and stealing private data belonging to millions of customers and staff.

The retailer was forced to admit that the data breach had occurred after hackers contacted media outlets with proof that the firm was downplaying the cyberattack.

Co-op managed to disconnect the internet from IT networks in time to prevent the deployment of ransomware, which could have caused even greater disruption.

Luxury retailer Harrods announced on 1 May that it had also been targeted, though the impact on its operations was less severe than the attacks on M&S and Co-op.

The department store was forced to restrict internet access across its websites after attempts to gain unauthorised access to its systems.

Cybersecurity under the microscope

The arrests came days after M&S Chair Archie Norman told MPs that two other large British companies had been affected by unreported cyber-attacks in recent months.

Norman described the attack on M&S as “traumatic” and suggested it felt like “an attempt to destroy the business”.

M&S expects its operations to remain affected until late July, with some IT systems not expected to be fully operational until October or November.

“Cyber-attacks can be hugely disruptive for businesses, and I'd like to thank M&S, Co-op and Harrods for their support to our investigations,” Archie says.

“Hopefully this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process.”

Elliot Dellys, CEO of Australian cybersecurity firm Phronesis Security, believes that Scattered Spider’s unusual structure has thus far made it difficult for police to bring its members to justice.

“Rather than being composed of a centralised command and control structure like Russian ransomware groups, it is believed to be composed of a disparate group of young hackers living in the United States and United Kingdom,” he explains.

“This makes effective action by law enforcement to take down the group, and its infrastructure, difficult to coordinate and execute.”

The response from the companies

Following the arrests, spokespeople from both M&S and Co-op have released statements. 

“We welcome this development and thank the NCA for its diligent work on this incident,” said M&S.

“Hacking is not a victimless crime,” says Co-op’s spokesperson. 

“Throughout this period, we have engaged fully with the NCA and relevant authorities, and are pleased on behalf of our members to see this had led to these arrests today.”