When private cybersecurity outsourcing costs us all
TCS ties Co-op, M&S, and JLR to a multimillion-pound crisis, and the taxpayer could be on the hook again
The cyberattack on Jaguar Land Rover is showing us in real time how individual decisions from private enterprise to outsource tech functions like cybersecurity can end up having a much bigger impact, and a cost to taxpayers.
This morning’s media round saw lots of discussion about the cost of cyberattacks.
Firstly, the Co-operative Group revealed that it had turned a £3 million profit in the first half of 2024 into a £75 million pre-tax loss for the same period this year. The difference was primarily due to £80 million earnings hit from the cyberattack earlier this year.
When the attack from the Scattered Spider collective hit Co-op earlier this year, the retailer looked initially like one of the luckier victims. Co-op seemed to be able to isolate the damage and recover quite quickly. It was initially thought that customer data had not been compromised, but it was revealed in July that the personal data of all 6.5 million members of the group had, in fact, been compromised.
The retailer confirmed that the attack hit sales to the tune of an estimated £206 million.
Debbie White, chairwoman of the Co-op, speaking this morning said: “The first half of 2025 brought significant challenges, most notably from a malicious cyberattack..Our balance sheet strength and the magnificent response of our 53,000 colleagues enabled us to maintain vital services for our members and their communities.”
It’s worth stating at this point that the Co-op was not insured against such an attack.
In fairness, the cost to Co-op pales into insignificance when compared to the losses M&S is looking at, following its operations being brought to virtual halt by the same hacking collective
M&S has admitted it stands to lose approximately £300 million but this figure doesn’t even begin to take into account the damage to the M&S brand or the loss of potential customers who needed something urgently in April or May, found it in John Lewis and never went back to M&S.
Rachel Higham, the M&S Chief Technology & Digital Officer at the time of attack left the company earlier this month even though she’d only been in post for a year.
Still, these are private businesses and if they lose money due to their own lack of preparedness for a cyberattack then it’s their problem. Or is it? The attack on Jaguar Land Rover (JLR) is starting to look like it might have an impact on the taxpayer.
Why?
At the time of writing, the shutdown at JLR has been extended into October, with no guarantees that it will not be extended again. The impact on JLR, a highly profitable enterprise is one thing, but concern is mounting about the impact on the JLR supply chain which is concentrated heavily in the West Midlands and really drives the economic success of the region.
Former Mayor of the West Midlands, Sir Andy Street, speaking on Radio 4 this morning is trying to drum up support for the idea of the government providing emergency cash loans to maintain liquidity for affected suppliers.
Street’s motivations are clearly honourable, and he was at pains to emphasise during the interview that the loans would be for JLR’s suppliers not JLR itself. But there was one element missing from the whole interview, and it’s a factor common to all these attacks – and that is Tata Consultancy services (TCS).
TCS – the weakest link?
JLR outsourced cybersecurity to TCS in 2023, as part of a five-year £800m deal to "deliver efficiencies over the cost of existing services that will reduce JLR's net expenditure and unlock free cash flow."
TCS has worked with M&S since at least 2018, when it won a five-year deal to “transition M&S to a new Technology Operating Model, which embraces the agile mind-set to transform business and IT strategy, aligned with rapid technology innovation to meet fast changing business priorities.”
In 2023 that deal was extended to transform the M&S core technology stack, improve resilience and pace of innovation, and drive sustainable growth”, and TCS and M&S won the retail partnership of the year award at the Retail Systems Awards.
TCS has partnered with the Co-op for at least 15 years, “supporting a number of business-critical and workplace transformations. These include retail business transformation, core system transformation and franchise programme. These initiatives have helped Co-op accelerate time to market, create new revenue streams, and enhance agility to respond in real time to emerging business scenarios.”
In February 2024 TCS announced that it had extended its partnership with the retailer to adopt a "cloud first strategy".
There’s even a link to TCS in the most recent security breach of an automotive company. Stellantis, the US automotive manufacturer behind brands including Chrysler, Fiat and Peugeot, confirmed a breach of customer data at the weekend which it said, in a statement, was a breach of a “third-party service provider’s platform that supports our North American customer service operations.” The third party was Salesforce and guess which partner installed it for them?
Computer says yes
This morning, Debbie White claimed that the attack on Co-op was “sophisticated,” but speaking in May, M&S Chief Executive Stuart Machin said the hackers broke in by tricking TCS employees into giving them passwords. The same tactic was used to attack the Co-Op. It wasn’t sophisticated, and three out of the only four people who have so far been arrested on charges relating to these attacks were in their teens.
This morning Andy Street, claimed that the JLR had been the victim of “an incredibly unexpected event.” Was it so unexpected Andy? JLR must have expected it to some extent because it was working on a cyber insurance deal, which according to an article in trade publication The Insurer, they failed to get over the line in time, so JLR are not insured against the losses they are incurring from this attack.
The only public comment that has ever come from TCS relating to these attacks came from independent director Keki Mistry who said in June that none of “its systems or users were comprised” as part of the M&S attack. That assertion seems to directly contradict what Stuart Machin said a month earlier – unless you consider the heavy lifting that the word “its” is doing in that sentence and then have a think about how outsourcing works.
TCS’s services may not have been compromised but they were being paid to manage systems still owned by M&S and Co-op.
Private profit, public losses
You don’t need a crystal ball to predict that more of these attacks are likely to come to light over the next few weeks and months. If TCS helpdesk workers were giving away password details to teenagers posing as employees of its customers, we may only have scratched the surface of the potential damage.
Whether or not customer financial data is compromised cannot and must not become the yardstick for measuring the impact of these attacks. The JLR shutdown is showing us, in real time, the importance of business resilience. An attack on one company is directly affecting people’s livelihoods earned at other companies. Skilled jobs are at risk unless the taxpayer steps up and offers emergency loans.
Yes, the taxpayer again. JLR, M&S and Co-op all decided to outsource technology functions to TCS. Those decisions, as all the press releases I’ve linked to above set out, were driven by a need to outsource ‘non-core’ technology operations like cybersecurity to ‘drive efficiencies.’ All three companies made redundancies.
Greater efficiencies kept the dividends coming, plumped profits and no doubt helped to justify the payment of some lovely bonuses to executives. Last financial year JLR recorded profits of £2.5 billion.
The shareholders at M&S (pre-tax profit of approximately $875 million FY24/25) were no doubt placated with the departure of Rachel Higham, with the implication that she alone carried the can for the attack, despite the fact that all the decisions which led to it occurring were made years before she took the job.
If this year has shown us anything, it’s that outsourcing your cybersecurity might be cheaper in the short term but can prove terribly expensive in the long run. We’ve arrived at a situation, yet again, where the people who make bad, short-term decisions pay no penalties, and the taxpayer picks up the bill to try to prevent blameless companies going under and taking skilled jobs with them.
Closing his interview on Radio 4 this morning, Andy Street said that when he was MD at John Lewis, a position he held from 2007 to 2016, the risks arising from potential cyberattacks were already clear. He said:
“When I left John Lewis, the single biggest risk on our annual risk register was cyberattack. Even eight or nine years ago we were spending a lot of money on trying to improve our supply chain resilience. I’m sure others did the same”.
Not everyone, it seems.
Updated 29/09/25: At the weekend the government announced that it would guarantee a £1.5bn loan for JLR to help it continue to pay suppliers. The loan, repayable over five years, will be from a commercial bank but backed by the government, which means the taxpayer shoulders the risk of the loan not being repaid.
Computing reached out to TCS for comment for this article but received no response.