Four people including three teenagers have been arrested at addresses in the West Midlands, Staffordshire and London as part of an investigation into a trio of cyber-attacks on Marks & Spencer, Co-op and Harrods.

The National Crime Agency said two 19-year-old men, a 17-year-old boy and a 20-year-old woman had been apprehended on suspicion of breaching the Computer Misuse Act, blackmail, money laundering and joining the activities of organised crime.

The head of the NCA’s national cybercrime unit, Paul Foster, said: “Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the agency’s highest priorities.

“Today’s arrests are a significant step in that investigation but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice.”

The arrests were supported by officers from the West Midlands organised crime unit and the East Midlands special operations unit. Those arrested were a 17-year-old British boy from the West Midlands, a 19-year-old Latvian man from the West Midlands, a 19-year-old British man from London and a 20-year-old British woman from Staffordshire.

All four of those apprehended were arrested at their home addresses and their electronic devices were seized for forensic analysis.

The NCA told the BBC in May that it was looking at the involvement in the attacks of Scattered Spider, a loose collective of native English-speaking hackers.

M&S was the first retailer to be attacked in April in an incident that forced the closure of its online store for nearly seven weeks. Co-op was attacked the same month and forced to shut down parts of its IT system. Harrods announced on 1 May that it had been targeted and restricted internet access across its websites after attempts to gain unauthorised access to its systems.

Foster said: “Cyber-attacks can be hugely disruptive for businesses, and I’d like to thank M&S, Co-op and Harrods for their support to our investigations. Hopefully this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process. The NCA and policing are here to help.”

The arrests came days after the M&S chair, Archie Norman, told MPs that two other large British companies had been affected by unreported cyber-attacks in recent months, as he detailed the “traumatic” attack on the retailer.

Norman added that the M&S attack involved the deployment of ransomware – malicious software that effectively locks up computer systems. Hackers then typically demand a ransom in exchange for unlocking those systems, hence the term ransomware.

Norman would not comment on whether M&S had paid a ransom. He also confirmed the involvement of DragonForce, an intermediary group that leases ransomware and other hacking in infrastructure to cybercriminals in a process known as ransomware-as-a-service.

An M&S spokesperson said: “We welcome this development and thank the NCA for its diligent work on this incident.”

A Co-op spokesperson said: “Hacking is not a victimless crime. Throughout this period, we have engaged fully with the NCA and relevant authorities, and are pleased on behalf of our members to see this had led to these arrests today.”