Massive Cyberattacks Lead to Data Theft of 6.5 Million Co-op Retail Members in the UK
In April 2025, a series of coordinated cyberattacks targeted three major UK retailers - Co-op, Marks & Spencer (M&S), and Harrods. The attacks caused significant operational disruption and substantial financial losses, particularly affecting M&S, which was forced to suspend online orders in the UK and Ireland, while physical stores remained open.
### Investigation and Arrests
The UK National Crime Agency (NCA) spearheaded the investigation into the cyberattacks. Four individuals were arrested early in July 2025 on suspicion of offenses including blackmail, money laundering, violating the Computer Misuse Act, and participating in an organized crime group. The arrested suspects, aged between 17 and 20, were from the West Midlands, London, and Staffordshire. Their electronic devices were seized for digital forensic analysis.
Paul Foster, head of the NCA’s National Cyber Crime Unit, emphasized the priority of this investigation and acknowledged close cooperation with the affected companies.
### Suspects and Possible Groups
Although the NCA did not publicly announce the name of the criminal group responsible, cybersecurity analysts suspect the involvement of a decentralized cybercrime group known as Scattered Spider. This group is considered a persistent and skilled adversary by experts, including Kaspersky’s Global Research & Analysis Team (GReAT).
### Aftermath and Impact
The financial losses from the attacks on M&S and Co-op were estimated between £270 million and £440 million (approximately $363 million to $592 million). M&S experienced a significant hit, losing about £300 million ($409 million) in operating profit due to the disruption.
The attacks caused empty shelves at stores and difficulties with payment systems, compounding the operational impact and customer disruption. The incident underscored the importance for businesses to engage law enforcement promptly when encountering cyberattacks, as emphasized by the NCA.
### Co-op's Response and Partnership
Co-op, the UK retail cooperative affected by the data breach, disconnected internet access from their IT networks just in time to prevent the deployment of ransomware. The breach included the compromise of names, addresses, and contact information, affecting 6.5 million members. No financial or transaction data was accessed during the breach.
In response, Co-op has partnered with cybersecurity recruitment company The Hacking Games to identify young talent and channel their skills into legitimate careers. The program aims to redirect potential cybercriminals towards legal pathways, with research suggesting that career development opportunities can successfully deter young individuals from criminal activities. The partnership includes a pilot programme with Co-op Academies Trust, which operates 38 schools across England.
As the investigation continues, the NCA works to bring the perpetrators to justice while managing the extensive financial and operational fallout from these significant cyberattacks.
The UK National Cyber Crime Unit, led by Paul Foster, is prioritizing the investigation into the cyberattacks on Co-op, Marks & Spencer, and Harrods, with four suspects arrested in July 2025. Unnamed experts suspect the involvement of a decentralized cybercrime group known as Scattered Spider, and the financial losses from the attacks on M&S and Co-op are estimated to be between £270 million and £440 million, underscoring the need for businesses to take cybersecurity seriously. On the positive side, Co-op, one of the affected retailers, is partnering with cybersecurity recruitment company The Hacking Games to develop young talent, aiming to redirect potential cybercriminals towards legitimate careers in technology, particularly within the realm of cybersecurity.
