London — British retail giant Marks & Spencer (M&S) has terminated its long-standing partnership with Indian IT powerhouse Tata Consultancy Services (TCS) following a devastating cyberattack that cost the company an estimated ₹3,200 crore (£300 million) earlier this year.
The retailer ended its technology helpdesk contract with TCS in July 2025, just months after the breach forced it to suspend online operations for weeks and left many of its stores with empty shelves.
A Breach Rooted in “Social Engineering”
According to investigators, a hacking group known as Scattered Spider infiltrated M&S’s systems using “social engineering” tactics — impersonating senior executives over tech support calls to trick helpdesk agents into resetting passwords.
In testimony before British lawmakers, M&S chairman Archie Norman said the cybercriminals gained access through “sophisticated impersonation involving a third-party vendor.”
The First Firm to Assess Your DFIR Capability Maturity and Provide DFIR as a Service (DFIRaaS)
TCS Launches Internal Probe, Denies Fault
Following the attack, TCS conducted an internal investigation to determine whether its helpdesk team had inadvertently served as a gateway for hackers. The company later stated it found “no evidence of wrongdoing or compromise.”
However, the UK Business Select Committee, chaired by Liam Byrne, requested clarification from TCS regarding its role. In a written response to Members of Parliament, TCS said the breach occurred “within the client’s own environment” and that it had found “no indicators of compromise within the TCS network.”
The Outsourcing Dilemma
TCS — one of India’s largest IT service providers — works with dozens of major British institutions, including banks, financial firms, and national infrastructure projects. Many UK companies have outsourced critical IT operations to Indian firms as a cost-saving strategy.
However, cybersecurity experts warn that such outsourcing can expose organizations to new layers of risk.
Kevin Beaumont, a noted cybersecurity researcher, said, “IT helpdesks often serve multiple clients simultaneously and operate off a scripted process. It’s easy for attackers to exploit that environment — and easy for humans to make mistakes.”
A Decade-Long Partnership Worth ₹8,300 Crore
M&S and TCS have worked together for more than a decade. In 2023, the two companies renewed a $1 billion (approximately ₹8,300 crore) agreement aimed at modernizing M&S’s technology infrastructure and business systems.
Under the deal, TCS pledged to “simplify M&S’s technology landscape and upgrade its core enterprise systems.”
Despite the latest contract termination, TCS continues to manage M&S’s data center and cloud operations.
A Pre-Planned Transition — Or a Strategic Signal?
M&S had already begun searching for a new helpdesk provider in January 2025, months before the cyberattack occurred.
A company spokesperson emphasized that the decision to change vendors was part of a standard review process, not a reaction to the breach.
“We went to market to identify the most suitable partner, ran a thorough evaluation, and appointed a new provider this summer,” the spokesperson said.
“This change has no bearing on our broader relationship with TCS, which remains an important strategic partner.”
A TCS spokesperson reiterated that the company does not provide cybersecurity services to M&S — those are handled by another vendor.
“The tender for the M&S helpdesk contract began several months before the incident,” the spokesperson said. “TCS continues to support M&S in numerous strategic initiatives and values this long-standing relationship.”
A Broader Reckoning for Corporate Cybersecurity
The fallout from the M&S–TCS split underscores a growing concern across the UK corporate landscape: the cybersecurity risks inherent in large-scale outsourcing.
As companies pursue digital transformation and cost efficiency through offshore IT partnerships, experts say they must strengthen human verification, internal controls, and vendor accountability to prevent similar incidents.
“Technology can be safeguarded with encryption and firewalls,” one industry analyst noted. “But when people are the weak link, even the strongest systems can be breached.”
