M&S ends service contract with TCS after £300m cyberattack

Claims the move had been planned since January

Marks & Spencer has severed its long-running technology helpdesk partnership with Indian outsourcing titan Tata Consultancy Services (TCS), six months after this year’s cyberattack.

The attack in the Spring cost the retailer an estimated £300 million and temporarily shut down its online business.

Both companies insist the decision predates the hack and is not a reflection of fault.

Earlier this year, hackers believed to be part of the cybercrime group Scattered Spider infiltrated M&S’ systems using a social engineering ploy.

Posing as senior executives on calls to IT support lines, the attackers reportedly manipulated password reset processes that normally safeguard access to sensitive company systems.

The result was weeks of retail disruption and empty shelves, as M&S scrambled to contain the fallout.

M&S chair Archie Norman described the attack to MPs as a "sophisticated impersonation" operation "involving a third party."

That comment triggered scrutiny of TCS, whose staff operate IT troubleshooting lines and possess the authority to process crucial security steps such as password resets.

TCS launched an internal investigation following the breach, ultimately stating it found "no indicators of compromise within the TCS network" and attributing the incident to weaknesses "in the client's own environment."

The firm said it does not provide cybersecurity services to M&S.

Despite this, parliamentary scrutiny intensified. Liam Byrne, chair of the business select committee, sought written clarification from TCS about its work with M&S.

Cybersecurity researchers also weighed in, warning that outsourcing frontline IT functions can create vulnerabilities if staff are juggling multiple scripts and clients.

"It's easy to abuse and easy for the operator to make a human error," said independent expert Kevin Beaumont, noting that even small missteps on a helpdesk can grant attackers the keys to a corporate kingdom.

According to The Telegraph, M&S officially cancelled the helpdesk contract in July, three months after the cyber incident. The retailer maintains that it began searching for a new provider in January, long before the cyberattack hit.

Decision predates breach but invites renewed attention

M&S first partnered with Tata more than a decade ago, and signed a new deal two years ago. That deal saw TCS commit to modernising M&S’ technology systems while still supporting core infrastructure areas, including datacentres and cloud services.

Both parties have reiterated their commitment to ongoing collaboration.

An M&S spokesperson said the move is routine business practice to secure the best solution on the market and insisted the decision "has no bearing” on the company's wider TCS relationship.

"As is usual process, we went to market to test for the most suitable product available, ran a thorough process and instructed a new provider this summer."

A TCS spokesperson explained that the bidding process for the M&S helpdesk contract had begun several months prior to the cyberattack.

"TCS does not provide cyber security services to Marks & Spencer. This is a service that is provided by another partner of M&S."

"TCS continues to work on numerous other areas of engagement in its role as a strategic partner for M&S," they added.

UK organisations are currently grappling with an intensifying cyber-threat environment.

Jaguar Land Rover experienced a major incident in August that disrupted production and supply chains.

In May, luxury French fashion house Dior confirmed a cybersecurity incident that resulted in a breach of customers' personal data from its Fashion and Accessories division.

And also in May, just days after the M&S attack, the Co-op and Harrods suffered incidents. Although they fared better than M&S, the results still dragged on for some time.