Four people have been arrested by police investigating cyber attacks targeting M&S, Co-op and Harrods.

A 20-year-old woman and two males, both aged 19, and a male aged 17, were detained in London and the West Midlands this morning as part of a National Crime Agency (NCA) operation.

They were arrested at their homes on suspicion of Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group.

Money blog: Cost of renting over owning home is a lot

Electronic devices were seized from the suspects and are currently being analysed by forensic experts.

M&S halted online orders, and shelves were empty in shops after the cyber attack on the retailer earlier this year.

The initial hack into the retailer’s systems took place in April through “sophisticated impersonation” involving a third party.

Disruption is expected to continue at the retailer until the end of this month.

The Co-op and Harrods were also subsequently targeted by hackers.

Paul Foster, head of the NCA’s National cybercrime unit described the arrests as a “significant step” in their investigation, which remains “one of the Agency’s highest priorities”.

He added: “…our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice.”

The National Crime Agency is keen to “signal” to “future victims” the “importance of seeking support and engaging with law enforcement”, stating that “the NCA and policing are here to help”.

The NCA has also thanked M&S, Co-op and Harrods for their support in their investigations.

The arrests, which took place early on Thursday morning, were supported by officers from the West Midlands Regional Organised Crime Unit and the East Midlands Special Operations Unit.

Earlier this week, the chairman of M&S told MPs that the hack had been “traumatic” and like an “out-of-body experience”.

Follow The World

Listen to The World with Richard Engel and Yalda Hakim every Wednesday

Tap to follow

Archie Norman, however, refused to be drawn on whether the retailer had paid any ransom.

“We are not discussing any of the details of our interaction with the threat actor, including this subject, but that subject is fully shared with the NCA,” he said.

It is estimated that the cyber attack will cost M&S up to £300m this year.

Read more:
South West Water agrees to pay £24m for wastewater failures
Royal Mail to scrap second-class post on Saturdays and some weekdays

Days after M&S was attacked, the Co-op was targeted and forced to shut down some internal systems.

Harrods was then hacked, and also had to shut some systems despite its website and shops continuing to operate.

Of those arrested, a 17-year-old British male and a 19-year-old Latvian male were from the West Midlands.

A 19-year-old man was from London and a 20-year-old woman from Staffordshire.

A New York-listed company with a valuation of more than $21bn is to snap up Space NK, the British high street beauty chain.

Sky News has learnt that Ulta Beauty, which operates close to 1,500 stores, is on the verge of a deal to buy Space NK from existing owner Manzanita Capital.

Ulta Beauty is understood to have registered an acquisition vehicle at Companies House in recent weeks.

Money blog: Top chef reveals thing he hates about customers

The exact price being paid by Ulta was unclear on Thursday morning, although one source said it was likely to be well in excess of £300m.

Manzanita Capital, a private investment firm, engaged bankers at Raymond James to oversee an auction in April 2024.

The firm has owned Space NK for more than 20 years.

Manzanita has also owned the French perfume house Diptyque and Susanne Kaufmann, an Austrian luxury skincare brand.

Read more from Sky News:
Royal Mail to scrap second-class post on some days
Warning a pub a day to close this year

Founded in 1993 by Nicky Kinnaird, Space NK – which is named after her initials – trades from dozens of stores and employs more than 1,000 people.

It specialises in high-end skincare and cosmetics products.

Manzanita previously explored a sale of Space NK in 2018, hiring Goldman Sachs to handle a strategic review, but opted not to proceed with a deal.

None of Ulta, Manzanita, Space NK and Raymond James could be reached for comment.

Royal Mail is to be allowed to scrap Saturday second-class stamp deliveries, under a series of reforms proposed by the communications regulator.

From 28 July, Royal Mail will also be allowed to deliver second-class letters on alternate weekdays, Ofcom said.

The post will still be delivered within three working days of collection from Monday to Friday.

Money blog: Top chef reveals thing he hates about customers

The proposals had already been raised by Ofcom after a consultation was announced in 2024, and the scale back was proposed early this year.

Royal Mail had repeatedly failed to meet the so-called universal service obligation to deliver post within set periods of time.

Those delivery targets are now being revised downwards.

Rather than having to have 93% of first-class mail delivered the next day, 90% will be legally allowed.

The target for second-class mail deliveries will be lowered from 98.5% to arrive within three working days to 95%.

A review of stamp prices has also been announced by Ofcom amid concerns over affordability, with a consultation set to be launched next year.

It’s good news for Royal Mail and its new owner, the Czech billionaire Daniel Kretinsky. Ofcom estimates the changes will bring savings of between £250m and £425m.

A welcome change?

Unsurprisingly, the company welcomed the announcement.

“It is good news for customers across the UK as it supports the delivery of a reliable, efficient and financially sustainable universal service,” said Martin Seidenberg, the group chief executive of Royal Mail’s parent company, International Distribution Services.

“It follows extensive consultation with thousands of people and businesses to ensure that the postal service better reflects their needs and the realities of how customers send and receive mail today.”

Citizens Advice, however, doubted whether services would improve as a result of the changes.

“Today, Ofcom missed a major opportunity to bring about meaningful change,” said Tom MacInnes, the director of policy at Citizens Advice.

“Pushing ahead with plans to slash services and relax delivery targets in the name of savings won’t automatically make letter deliveries more reliable or improve standards.”

Acknowledging long delays “where letters have taken weeks to arrive”, Ofcom said it set Royal Mail new enforceable targets so 99% of mail has to be delivered no more than two days late.

Changing habits

Less than a third of letters are sent now than 20 years ago, and it is forecast to fall to about a fifth of the letters previously sent.

According to Ofcom research, people want reliability and affordability more than speedy delivery.

Royal Mail has been loss-making in recent years as revenues fell.

Read more from Sky News:
Greater risk to UK economy from Trump tariffs, BoE warns
What is a wealth tax and how would it work?

In response to Ofcom’s changes, a government spokesperson said: “The public expects a well-run postal service, with letters arriving on time across the country without it costing the earth. With the way people use postal services having changed, it’s right the regulator has looked at this.

“We now need Royal Mail to work with unions and posties to deliver a service that people expect, and this includes maintaining the principle of one price to send a letter anywhere in the UK”.

Ofcom said it has told Royal Mail to hold regular meetings with consumer bodies and industry groups to hear their experiences implementing the changes.