The Cyber Attack on Marks & Spencer (M&S) and the Involvement of Tata Consultancy Services (TCS)

 

The Cyber Attack on Marks & Spencer (M&S) and the Involvement of Tata Consultancy Services (TCS)

In April 2025, one of the UK’s most-recognised retailers, Marks & Spencer (M&S), suffered a major cyber-attack that disrupted its operations, exposed customer data and triggered investigations into its IT and third-party supplier arrangements. The incident spotlighted the vulnerabilities of supply‐chain links in retail and the risks posed by social engineering attacks. Below is an article that outlines what we know so far — the attack itself, the role of the IT services provider Tata Consultancy Services (TCS), the consequences for M&S, and the broader lessons for the industry.

Background: M&S and its IT Partner Landscape

M&S is a major British retailer with operations spanning food, fashion and home goods. Over recent years it has invested heavily in digital transformation and partnered with large IT services firms to modernise its infrastructure. One substantial partner has been TCS, an Indian IT services and outsourcing firm, which has provided systems, help-desk and support services to M&S for over a decade. Business Standard+1

This arrangement meant M&S’s digital infrastructure, customer-loyalty scheme (Sparks) and online operations depended in part on third-party services and support arrangements.

The Cyber Incident: What Happened

The cyber-attack came to light around the Easter weekend of April 2025. M&S acknowledged that it was dealing with a “cyber incident” that halted parts of its services. Reuters+2Tech Monitor+2 Key facts:

• The attackers gained access not by breaching M&S’s own defences first, but by targeting a third‐party contractor connected to M&S. M&S’s CEO, Stuart Machin, said: “Unable to get into our systems by breaking through our digital defences, the attackers… resorted to social engineering and entering through a third party.” Reuters+2retailgazette.co.uk+2

• The breach impacted online sales: M&S had to suspend online ordering of clothing/home, and certain supply chain and in-store services (e.g., click & collect, partner fulfilment) were disrupted. Tech Monitor

• Customer data was accessed: Names, addresses, dates of birth and order history were among the types of data reported stolen. However, M&S said payment information and account passwords were not compromised. retailgazette.co.uk+1

• The cost impact: M&S estimated a hit to operating profit of up to £300 million, with wider market capitalisation losses of more than £750 million reported. Tech Monitor+2Reuters+2

A hacking group thought to be involved is the so-called Scattered Spider, which has been linked to social-engineering attacks involving impersonation and help-desk exploitation. retailgazette.co.uk+1

The TCS Connection: Investigation & Clarification

Given the role of third-party support and the fact that TCS had been a long-time service provider to M&S, attention soon turned to whether TCS systems or staff credentials were the gateway used by the attackers. Some of the key developments:

• Reports stated that at least two TCS employees’ login credentials for M&S systems “may have” been used in the breach. The Times of India+2computing.co.uk+2

• TCS launched an internal investigation to determine whether it had been a “gateway” for the attack. Business Standard

• In June 2025, TCS declared publicly that no systems or users of theirs were compromised in the incident. “As no TCS systems or users were compromised, none of our other customers are impacted,” said TCS independent director Keki Mistry. Reuters+1

• TCS also clarified that it does not provide cybersecurity services to M&S (i.e., its role was not one of delivering cyber-defence, but rather IT services/help‐desk etc). infosecurity-magazine.com

Thus, TCS denies being directly at fault or compromised, though the investigation into how the attackers gained access via a third‐party remains ongoing.

Fallout: Operational & Reputational Impact

For M&S, the attack caused wide‐ranging consequences:

• Operational disruption: Online orders paused for weeks; click & collect, food delivery and in-store systems were impacted. MoneyWeek+1

• Financial hit: The profit impact estimate (~£300 m) reflects lost sales, extra costs, logistics disruption and reputational damage. Reuters+1

• Reputational risk: The breach exposed the company to scrutiny over its digital resilience and supplier oversight, especially given the targeting method (via third‐party) and high-profile nature.

• Supplier relationships: Though M&S continues to use TCS for other services, there has been a re-evaluation of service-desk contracts. In October 2025, M&S ended its IT service-desk contract with TCS; TCS says the decision followed a procurement process begun before the attack, and is not connected. Financial Times+1

Key Lessons & Broader Implications

This incident reinforces several important lessons for large organisations (especially retailers) and their supply chains:

1. Third-party risk is real
   Even strong internal defences can be circumvented if a third-party provider is targeted. Organisations must map and monitor their supplier ecosystem, enforce strict access controls and ensure that third-party staff privileges are tightly governed.

2. Social engineering and help-desk exploitation are common vectors
   The M&S attack reportedly involved impersonation (attackers pretending to be senior executives) and help-desk workflows (password resets). These are often less fortified than system perimeters. TechRadar+1

3. Digital dependency increases ripple effect
   Large retailers depend on integrated IT systems for online ordering, deliveries, loyalty programmes and supply-chain logistics. An outage in one part can cascade across stores, warehouses and customer service.

4. Timely detection matters
   M&S said it detected suspicious activity soon after the attack began, but the disruption still took weeks to resolve, and parts of the service remained degraded into the summer. The longer the attacker maintains foothold or the organisation remains offline, the larger the cost.

5. Communication & transparency are key
   M&S communicated to customers that data had been stolen (but not payment data). But trust can be eroded if service outages drag on or if breach details are unclear.

6. Supplier contracts and oversight should include cybersecurity criteria
   As organisations outsource increasingly complex IT functions, the contract terms, audit rights, incident-response responsibilities and accountability for supplier negligence become critical.

What Happens Now?

For M&S, recovery is ongoing. It has restored many services (including its Sparks loyalty scheme) but in many cases operations took months to return to full normalcy. The Guardian+1

For TCS and other large service providers, the incident underscores the reputational risk of being entangled (even indirectly) in high-profile breaches of clients. Even where a provider believes it was not compromised, the perception of being a weak link may damage future business or contract renewals.

Meanwhile, regulatory scrutiny may intensify. For example, in the UK the Information Commissioner’s Office (ICO) can levy significant fines if companies are found to have insufficient protections over personal data. The Guardian

Conclusion

The cyber-attack on Marks & Spencer illustrates how sophisticated threat actors can exploit supply-chain and third-party vulnerabilities to disrupt major retailers, steal customer data and inflict heavy financial loss. Though M&S’s own systems were not initially compromised via traditional perimeter attacks, the breach nevertheless hit its business hard — demonstrating that modern cyber-resilience demands attention not just to in-house defences but also to the full chain of service providers, access privileges and human-factor vulnerabilities. For service providers like TCS, the key takeaway is that even if not directly compromised, being part of the access path into a client’s systems brings elevated scrutiny and expectations of transparency, auditability and rapid incident response. For customers, it means checking not just the vendor they contract with, but the vendor’s own suppliers, help-desk workflows, privileged access management and identity controls.