Retail Giant M&S Cyberattack Prompts Scrutiny on Outsourcing Partner TCS

A major cyberattack on Marks & Spencer (M&S) in April 2025, estimated to have cost the British retailer as much as £300 million in lost operating profit, has brought intense scrutiny upon its relationship with long-standing IT services partner, Tata Consultancy Services (TCS). While a subsequent decision by M&S to end a specific service desk contract has fueled media speculation linking it directly to the breach, both companies have issued strong clarifications denying any such connection.

The Cyber Incident and Its Impact

The highly sophisticated and targeted cyberattack against M&S in April 2025 caused significant operational disruption. The breach reportedly forced the retailer to suspend online orders for a period and led to widespread issues including empty shelves in several stores.

M&S Chairman Archie Norman later informed British lawmakers that the hackers, identified by some reports as the group known as Scattered Spider, gained access using “sophisticated impersonation” involving a third-party vendor. This technique, often referred to as ‘social engineering,’ reportedly involved tricking helpdesk agents into resetting passwords for senior executives.

The financial fallout was substantial, with the retailer expecting a hit to its operating profits of up to £300 million, underscoring the severe risks posed by advanced cyber threats to major retail operations.

Termination of IT Service Desk Contract

In the wake of the cyberattack, M&S decided not to renew the contract for its IT service desk with TCS, a contract that officially ended in July 2025. This move was reported by some UK media outlets as a direct consequence of the cyberattack, suggesting that TCS was held responsible for a failure that allowed hackers to gain entry.

However, both M&S and TCS have robustly contested this narrative:

Investigation and Clearing of Fault

Following the April breach, M&S’s chairman’s comments about third-party involvement led to immediate scrutiny of TCS. The Indian IT firm conducted an internal investigation to determine if its network or helpdesk operations had served as a gateway for the hackers.

TCS later confirmed that the vulnerabilities associated with the cyberattack did not originate from its networks. The company stated it found no evidence of compromise within its systems, a position it also communicated to the House of Commons Business and Trade Select Committee in the UK. This clarification suggests that the breach occurred within the client’s own environment, exploiting a vulnerability in a multi-vendor ecosystem.

Broader Implications for Outsourcing

Despite the assertions from both M&S and TCS that the contract termination and the cyberattack were unrelated, the sequence of events highlights the increasing cybersecurity risks inherent in large-scale IT outsourcing.

The incident underscores the complexity of modern corporate IT landscapes, which often rely on a network of third-party vendors, any one of which can become a point of vulnerability. For major corporations, maintaining rigorous cybersecurity protocols and clear lines of responsibility across all vendors is now a critical, high-stakes operational priority. The fallout from the M&S attack serves as a stark reminder of the massive financial and reputational damage that can result from a single, sophisticated breach targeting an extended enterprise supply chain.