• Four individuals aged 17 to 20 were arrested over April cyberattacks on major UK retailers
• Marks & Spencer, Co-Op, and Harrods faced severe disruption to operations
• M&S is unable to process online clothing and homeware orders for nearly seven weeks
• Attack expected to cost M&S £300 million in lost profits this year
• Arrests made in the West Midlands and London by the National Crime Agency
• Customers saw contactless payments, refunds, and loyalty schemes fail
• Food waste and stock shortages hit physical stores as warehousing systems faltered
• NCA says investigation continues in collaboration with international partners
• Experts call for major cybersecurity investment across the retail sector
• M&S aims to restore full online functionality by August

The UK’s major crime agency yesterday (July 10) announced it had made four arrests in connection with major cyber-attacks on British online retailers.

But while those firms at the centre of the attacks may feel the wheels of justice may be rolling in the right direction, one of them has admitted that it is still in recovery mode two months on.

Marks & Spencer has been unable to fulfil online orders since the attack on its online infrastructure in April – one of three attacks that also included Co-Op and Harrods.

The National Crime Agency yesterday confirmed the arrests of three men and a woman, aged between 17 and 20, at properties in the West Midlands and London. All are suspected of being involved in orchestrating the April and May attacks that brought core retail operations to a grinding halt. 

The disruption was far from abstract. Shoppers across the UK saw online clothing and homeware orders vanish, contactless payments fail, and stock disappear from shelves.

Marks & Spencer, a cornerstone of the UK’s retail landscape, was forced to apologise publicly and offer customers £5 digital vouchers. But experts have warned that financial damage on this scale can’t be fixed with gift cards.

“The arrests are a significant step,” said Paul Foster, head of the NCA’s National Cyber Crime Unit, adding that the investigation remains active, with support from international law enforcement partners.

M&S hopes to restore full online functionality by August – three months after its digital systems were first compromised.

In a sector where margins are tight and consumer loyalty fragile, the scale and visibility of the outage have shaken confidence.

Beyond financial losses, the reputational damage from food waste, missed deliveries and broken loyalty programs has made it impossible to sweep this crisis under the rug.

While high-impact cyberattacks of this nature are rare, the real concern is how little resilience many household-name retailers have in the face of them.

M&S is far from a technology laggard. Yet the attack revealed deep structural vulnerabilities – from warehousing systems to customer data platforms – that were not adequately protected.

The fact that such a substantial business, with millions of daily transactions, could be brought to its knees so quickly raises fundamental questions about digital risk management in the sector.

This event will likely become a case study in what happens when cybersecurity is treated as a compliance exercise rather than a strategic imperative.

In an age of just-in-time logistics, contactless payments, and integrated online-offline customer experiences, the cost of a digital breach is no longer theoretical. For M&S, it’s £300 million ($406.9 million) and counting. 

No marketing campaign or HR initiative could have saved – or generated – that amount in six weeks. But better cyber preparedness just might have.

That is the challenge now facing every retailer that has watched this saga unfold. Because next time, it could be their turn.