Marks & Spencer Terminates Contract With Tata Consultancy Services

British retail giant Marks and Spencer (M&S) has officially ended its long-term partnership with Tata Consultancy Services (TCS) following one of the most damaging cyberattacks in company history.
The breach reportedly caused over £300 million in losses, disrupting M&S’s digital systems, online operations, and supply chains across the UK.

About Tata Consultancy Services (TCS)

Tata Consultancy Services (TCS), headquartered in Mumbai, is one of the world’s largest IT services and consulting firms under the Tata Group.
TCS employs over 600,000 professionals and serves clients in 55+ countries, including Jaguar Land Rover, British Airways, Boots, Diageo, and Aviva.
It also partners with financial giants like Deutsche Bank USA, Indian Bank, and RBC Investor & Treasury Services.

The M&S Cyber Incident: How It Happened

In April 2025, M&S confirmed a “cyber incident” that forced it to suspend online shopping, click-and-collect services, and digital operations.
The attack was executed by Scattered Spider, a hacker group that exploited a vendor access route — reportedly through TCS help-desk employee credentials.

Investigations revealed a social engineering technique: attackers impersonated staff, tricking TCS employees into revealing login credentials and resetting passwords.
After initial access, the hackers deployed DragonForce ransomware-as-a-service, executing a double extortion — encrypting M&S’s data while stealing copies.

Financial and Operational Impact on M&S

The cyberattack halted M&S’s online orders, disrupted in-store payments, and damaged its supply chain — causing empty shelves and customer frustration.
Analysts estimate over £300 million in operating losses and £1 billion wiped off M&S’s market cap.
Customer data was also compromised, prompting M&S to warn shoppers about potential phishing attempts.

M&S Ends Its IT Help-Desk Deal With TCS

In July 2025, M&S confirmed that its help-desk contract with TCS would not be renewed.
While M&S stated that the tender process began before the breach, industry analysts see this as part of a broader vendor risk reassessment.

A TCS spokesperson clarified that the company does not provide cybersecurity services to M&S and continues to support other strategic projects.

“The tender began months before the incident. TCS continues to value its relationship with M&S,” the spokesperson added.

Why This Incident Matters for the Retail and IT Industry

The M&S–TCS cyberattack highlights critical lessons for businesses relying on third-party outsourcing:

• Vendor Access = Attack Surface: Partners with help-desk or privileged access extend the risk perimeter.
• Social Engineering Threats: People remain the weakest link despite strong IT infrastructure.
• Regulatory Scrutiny: Contract timing and vendor accountability will attract attention from regulators.
• Transparency & Communication: Public trust relies on timely and clear communication after cyber incidents.

Lessons Learned: Strengthening Vendor Cyber Defence

Experts suggest that retailers must treat vendors as part of their cybersecurity ecosystem.
Mapping “critical vendors” and implementing zero-trust frameworks can prevent future breaches.
Help-desk operations are often targeted by attackers using impersonation tactics — making them a priority for awareness training and access control.

The Marks & Spencer–TCS fallout isn’t just about ending a contract; it’s a wake-up call for modern businesses.
It reveals that the future of cyber risk lies not only in technology but also in people, processes, and trust within complex outsourcing networks.

For Marks and Spencer, the focus now shifts to rebuilding digital resilience and restoring customer confidence. For TCS and other service providers, it’s a reminder that clients’ cyber resilience directly affects their own reputational strength.