Marks & Spencer (M&S), the iconic British retailer, has officially ended its partnership with Tata Consultancy Services (TCS) following a catastrophic cyberattack that disrupted its operations and dealt a severe financial blow to the company. The decision to terminate the contract, which covered technology helpdesk and support services, came in July 2025, just a few months after the breach occurred.
The incident marked one of the most damaging cyberattacks in M&S’s history. Estimated losses totaled approximately £300 million, with the breach affecting the company’s digital infrastructure, bringing its online shopping platform to a standstill, and causing supply chain and inventory disruptions. The fallout left physical store shelves across the UK under-stocked, tarnishing M&S’s reputation for reliability and customer service.
How the attack unfolded
In April 2025, M&S confirmed a "cyber incident" that forced the retailer to suspend online orders, halt parts of its click-and-collect services, and disrupt in-store operations. The attack, attributed to the hacker group Scattered Spider, exploited a third-party vendor route rather than targeting M&S’s systems directly. Reports indicated that login credentials belonging to TCS employees were used in the initial infiltration.
According to M&S CEO Stuart Machin, the breach was a result of "sophisticated impersonation … involving a third-party." The hackers used social engineering tactics, posing as employees to trick TCS staff into revealing credentials and resetting passwords, thereby gaining access to M&S systems. The attack was carried out using ransomware-as-a-service provider DragonForce and involved double extortion – whereby hackers not only encrypted M&S’s data but also stole a copy, threatening to leak it unless a ransom was paid.
The impact was significant, with M&S advising customers to remain vigilant against potential phishing attempts as their data was compromised. Analysts have estimated that the company suffered as much as £300 million in lost operating profit and saw over £1 billion erased from its market capitalization.
M&S parts ways with TCS
Although M&S has stated that its decision to terminate the helpdesk contract with TCS was unrelated to the breach – citing a competitive procurement process that began in January 2025 – the timing raised eyebrows. The collaboration between the two companies had spanned more than a decade and included a major outsourcing renewal in 2023 aimed at modernizing M&S’s supply chain and store systems.
A spokesperson for TCS emphasized that the company does not provide cybersecurity services to M&S, adding, "The tender for the M&S helpdesk contract began several months before the incident. TCS continues to support M&S in numerous strategic initiatives and values this long-standing relationship." Despite these assurances, the optics of the situation have been challenging for both parties, with TCS facing increased scrutiny over its role in the breach.
Cybersecurity challenges for retailers and vendors
The M&S cyberattack highlights the growing risks facing retailers reliant on complex outsourcing ecosystems and third-party vendors. Cybersecurity experts have warned that helpdesk operations – often considered a soft target – represent a significant vulnerability, as attackers frequently exploit human error through social engineering tactics.
The incident underscores the importance of treating critical vendors as an extension of an organization’s cyber footprint. According to analysts, the fallout from such attacks extends beyond technical disruptions, impacting customer trust, regulatory compliance, and financial stability. For M&S, the breach allowed competitors to gain market share during the prolonged disruption, further compounding its losses.
Key lessons for the industry
The M&S-TCS case serves as a cautionary tale for both retailers and outsourcing providers. It underscores the need for stronger cybersecurity measures, better oversight of vendor access, and improved training to combat social engineering threats. Key takeaways from the incident include:
- Vendor access requires tighter controls: Partners with privileged access, such as helpdesk providers, must be treated as integral parts of an organization’s cybersecurity framework.
- Human factors remain a weak link: Attackers frequently exploit employee trust through impersonation and other social engineering techniques, bypassing traditional IT defenses.
- Transparency is essential: Clear communication with stakeholders is crucial during and after a breach to rebuild trust and mitigate reputational damage.
- Outsourcing doesn’t eliminate accountability: Even when services are outsourced, companies remain responsible for regulatory compliance, data protection, and business continuity.
Conclusion
For M&S, the decision to sever ties with TCS may reflect broader efforts to rebuild trust and strengthen its cybersecurity defenses following the devastating breach. At the same time, the incident highlights the vulnerabilities inherent in digital-age retailing and the challenges of managing an increasingly interconnected supply chain.
As retailers and technology providers navigate this evolving landscape, the M&S breach serves as a stark reminder of the high stakes involved in protecting data and maintaining customer confidence. The message for outsourcing partners is clear: the resilience of their clients’ cybersecurity measures is intrinsically tied to their own reputations.