The Nationwide Crime Company (NCA) mentioned the people have been arrested early on Thursday morning on suspicion of blackmail, cash laundering, offences linked to the Pc Misuse Act and taking part within the actions of an organised crime group.
The arrests included a 17-year-old British man from the West Midlands, 19-year-old Latvian man from the West Midlands, 19-year-old British man from London and 20-year-old British girl from Staffordshire.
All 4 have been arrested from their residence addresses and stay in custody. They haven’t been named.
Their digital gadgets have been seized for digital forensic evaluation.
Paul Foster, head of the NCA’s Nationwide Cyber Crime Unit, mentioned: “Since these assaults came about, specialist NCA cybercrime investigators have been working at tempo and the investigation stays one of many company’s highest priorities.
“Immediately’s arrests are a big step in that investigation however our work continues, alongside companions within the UK and abroad, to make sure these accountable are recognized and dropped at justice.
“Cyber attacks could be vastly disruptive for companies and I would wish to thank M&S, Co-op and Harrods for his or her help to our investigations. Hopefully this indicators to future victims the significance of looking for help and interesting with legislation enforcement as a part of the reporting course of. The NCA and policing are right here to assist.”
The M&S cyber incident was found round Easter time and wiped tens of millions off its market worth.
Right here’s what we all know in regards to the M&S cyber assault:
What occurred within the M&S cyber assault?
Marks & Spencer first revealed the cyber assault on Monday, April 21, after clients reported cost points and delays receiving on-line orders.
In an e mail to customers, M&S chief government Stuart Machin wrote: “Over the previous couple of days, M&S has been managing a cyber incident. To guard you and the enterprise, it was essential to quickly make some small modifications to our retailer operations, and I’m sincerely sorry for those who skilled any inconvenience.
“Importantly, our shops stay open, and our web site and app are working as regular. There is no such thing as a want so that you can take any motion right now, and if the state of affairs modifications, we are going to let .”
M&S employs about 64,000 folks and operates greater than 1,400 shops globally
PA Wire
“This can be a fairly unhealthy episode of ransomware,” he mentioned.
“It’s a extremely disruptive occasion and a really tough one for them to cope with.”
“I might recommend there’s a excessive degree of confidence it is a ransomware-style occasion,” Dan Card, cyber professional at BCS, the chartered institute for IT, advised the BBC.
“I describe these as like a digital bomb has gone off. So recovering from them is commonly each technically and logistically difficult… the sufferer organisation is probably going going to be working across the clock to reply and get well.”
Ransomware is a kind of malicious software program that locks or encrypts a sufferer’s knowledge and calls for cost, often in cryptocurrency, to revive entry.
Who was behind the M&S cyber assault?
It’s not but identified publicly if the arrested people are a part of the hacking group.
BleepingComputer reported that the group was suspected of breaching M&S programs as early as February 2025, allegedly stealing the Home windows area’s NTDS.dit file—a delicate database containing consumer credentials. They’re additionally believed to have used ransomware to encrypt components of M&S’s infrastructure.
Additionally known as UNC3944, Octo Tempest or Muddled Libra, Scattered Spider is reportedly identified for using superior social engineering ways, together with phishing and multi-factor authentication (MFA) fatigue assaults, to infiltrate massive organisations.
Phishing tips customers into revealing delicate info, whereas MFA fatigue entails bombarding customers with repeated login requests in hopes they’ll approve one out of frustration or confusion.
Hackers from the famend Scattered Spider group have been reportedly behind the M&S cyber assault
Alamy/PA
“Scattered Spider is without doubt one of the most harmful and energetic hacking teams we’re monitoring,” Graeme Stewart, the top of public sector at safety firm Verify Level, told Sky News.
“Since they first appeared in 2022, they have been linked to more than 100 targeted attacks across industries such as telecoms, finance, retail and gaming.”
BleepingComputer reported that DragonForce ransomware was deployed to VMware ESXi hosts on April 24 to encrypt digital machines. The group reportedly gained entry to M&S programs and remained undetected for weeks.
Scattered Spider reportedly includes younger hackers, some as younger as 16, who frequent hacker boards, Telegram channels, and Discord servers. Some members are additionally believed to be linked to the “Com”, a loosely affiliated group identified for cyber and real-world prison exercise that has drawn media attention.
What impact has the cyber attack had on M&S?
Nayna McIntosh, a former M&S executive and founder of Hope Fashion, said the decision to halt online orders was comparable to “cutting off a limb.”
Susannah Streeter, head of money and markets at Hargreaves Lansdown, mentioned the pause on on-line orders will probably be “vastly damaging for gross sales”.
“Trend gross sales are prone to take a giant hit notably because the assault has come through the spell of warm weather when summer time ranges would ordinarily be piling up in digital baskets,” she added. “Whereas different retailers haven’t been proof against IT breaches, the depth of Marks and Spencer’s issues in resolving the problem are worrying, and it could take a while to win again some warier customers.”
Shares fell 2.2 per cent to 377.3p on Monday morning, with greater than £700 million wiped from the corporate’s market worth because the cyber assault.
