Marks & Spencer Ends IT Service Desk Contract With Tata Consultancy Services Following Devastating Cyber Attack

British retail giant Marks & Spencer (M&S) has officially ended its long-standing partnership with Indian IT services leader Tata Consultancy Services (TCS) after suffering one of the most damaging cyberattacks in its history. The high-profile breach, which occurred earlier this year, is estimated to have cost the company around £300 million in losses, disrupting its digital infrastructure and severely impacting operations across the UK.

Tata Consultancy Services (TCS) is a leading Indian multinational company that provides information technology (IT) services and consulting solutions. Headquartered in Mumbai It is a part of the Tata Group and has a global presence with a large workforce (600k+) , serving clients in various industries across 55 countries. Notable clients include Jaguar Land Rover, British Airways, Boots, Diageo, and Aviva. Other clients include financial institutions such as Deutsche Bank USA, Indian Bank, and RBC Investor & Treasury Services, and businesses like Mitchells & Butlers and the British Council.

According to industry sources, M&S terminated its technology helpdesk and support contract with TCS in July 2025, marking the end of a collaboration that had spanned several years. The decision reportedly came just months after the cyberattack forced the retailer to suspend its online shopping platform for an extended period, leaving millions of customers unable to place orders. The disruption also created widespread supply chain and inventory challenges, resulting in empty shelves across many of its physical stores and damaging the company’s reputation for reliability and customer service.

The incident has sparked broader discussions within the retail and IT sectors about data security, vendor accountability, and the growing risks of cybercrime in an increasingly digital marketplace. For M&S, the move to sever ties with TCS is seen as part of a larger effort to rebuild trust, strengthen its cybersecurity framework, and modernize its technology operations following the breach.

M&S engaged TCS as its technology partner for more than a decade, including a major outsourcing renewal in 2023 aimed at digitising the retailer’s supply-chain, omnichannel and store systems.

In late April 2025, M&S confirmed a “cyber incident” that forced it to halt online orders, suspend parts of its click-and-collect operations and, by some reports, left store shelves under-stocked. The attacker group, identified as Scattered Spider, exploited a vendor route rather than simply breaking into M&S’s perimeter.

Media reporting pointed directly at TCS’s help-desk staff access: according sources, at least two M&S login credentials belonging to TCS employees were used in the infiltration.

The hackers gained initial access to M&S’s systems through a social engineering attack. This involved the hackers posing as employees to trick TCS staff into revealing login credentials and resetting passwords. 

The retailer’s CEO, Stuart Machin, later told MPs the entry occurred via “sophisticated impersonation … involving a third-party”.

After gaining initial access, Scattered Spider used a ransomware-as-a-service provider called DragonForce to carry out the attack.

The attack involved double extortion, where the hackers stole a copy of M&S’s data before scrambling it. They then demanded a ransom to decrypt the data and to prevent them from leaking the stolen information

TCS has publicly maintained that none of its systems or users were compromised and that the breach occurred in the client’s environment.

• The attack caused widespread disruption, halting M&S’s online orders, affecting in-store payments and stock levels, and leading to significant financial losses.
• Customer data was stolen during the attack, and M&S advised customers to remain cautious of phishing attempts. 

The financial fallout for M&S has been dramatic. Analysts estimate as much as £300 million in lost operating profit for the year, and over £1 billion wiped off market cap. The chain of events underscores how a single social-engineering approach—targeting vendor personnel rather than network firewalls—can plunge a storied retailer into crisis.

In July, M&S confirmed the contract would not be renewed, citing that the competitive procurement process had begun in January—months before the attack. M&S insists the change is unrelated to the breach, and that TCS remains a strategic partner for other technology services.

A TCS spokesperson reiterated that the company does not provide cybersecurity services to M&S — those are handled by another vendor.

“The tender for the M&S helpdesk contract began several months before the incident,” the spokesperson said. “TCS continues to support M&S in numerous strategic initiatives and values this long-standing relationship.”

Nevertheless, the optics are stark: when a cyber-disaster hits and one of your major outsourcing partners is implicated—even indirectly—the board and executives feel the pressure. For TCS, which serves hundreds of UK clients across critical sectors, the incident raises broader questions about vendor risk and client trust.

What happened to M&S is becoming a textbook example of how modern retailers are exposed: complex outsourcing ecosystems, multiple third-party contractors with elevated access, and human-centred social-engineering attacks exploit the weakest link—often help-desk staff.

Cyber-security experts have warned that help desks represent a poorly guarded flanking route, especially when the staff run through scripted flows for password resets, impersonations and escalations.

• A recent analysis flagged the need for organisations to map ‘critical vendors’ and treat them as part of the cyber-footprint—not just peripheral suppliers.
• The breach (and the subsequent vendor fallout) highlights how insurance, legal, customer-trust and brand-risk issues all cascade from what appears to be a tech or IT incident.
• For retailers in particular, disruption to online ordering, click & collect, and supply to stores can translate into immediate bottom-line losses, brand erosion and competitive disadvantage (M&S cited rivals gaining share due to the outage).

For both clients like M&S and suppliers like TCS, the fallout offers a number of lessons:

1. Vendor access = attack surface: If a partner handles help-desks, password resets or privileged access, then their people, processes and controls become an extension of your network—even if physically separate.
2. Social engineering remains a critical area: Firewalls, endpoint protection and traditional IT defences are necessary but not sufficient when attackers impersonate insiders and exploit human trust.
3. Contract renewal timing must consider risk: M&S began the help-desk tender process in January; by July the contract ended. The overlap between vendor change and breach response may invite scrutiny from regulators and stakeholders.
4. Communication and transparency matter: M&S has taken steps to restore operations and update investors; yet the void created by limited public detail creates speculation—especially when another party (TCS) remains under investigative scrutiny.
5. Outsourcing doesn’t replace accountability: Even when a service is outsourced, regulatory liability, data-protection obligations and business-continuity responsibility still rest with the client organisation.

The M&S–TCS episode may read on the surface as a wholesale outsourcer contract cancellation—but the deeper narrative is about how digital-aging retailers with complex vendor networks are discovering the frontier of cyber risk is no longer purely technical. It’s about people, trust and the unseen channels of access.

For M&S, the headline might be that it “ditched” TCS for its help-desk. But the broader story is one of high-street Britain grappling with what happens when three decades of outsourcing intersect with next-generation cyber-crime. And for TCS and other large outsourcers, the message is inescapable: your clients’ cyber-resilience is also your reputational resilience.