Marks & Spencer
M&S storefront Image via M&S on the High Street/iStock

KEY POINTS

  • The cyber attack, linked to the Scattered Spider group, forced M&S to shut down online sales last April.
  • TCS denied responsibility, saying the breach occurred 'in the client's own environment'.
  • The attack is estimated to have cost M&S up to £300 million in lost profits and weeks of online downtime.

Marks & Spencer (M&S) has terminated its decade-long IT helpdesk contract with Indian outsourcing giant Tata Consultancy Services (TCS), months after a major cyber-attack cost the British retailer up to £300 million in lost operating profit.

The decision, finalised in July 2025 following a competitive procurement process, concludes TCS's role in managing M&S's technology helpdesk. While M&S insists the move is routine and unrelated to the April cyber breach, the timing has triggered questions around the security and oversight of third-party IT vendors.

A spokesperson for the retailer clarified: 'We went to market to test for the most suitable product... and appointed a new provider this summer.' M&S stressed the decision was part of 'standard review processes' and 'has no bearing on our wider TCS relationship.'

TCS echoed this, stating the termination 'was decided prior to the April cyber-attack and is unrelated', adding that helpdesk services made up only a minor portion of its broader work with M&S, which still includes data centre and cloud infrastructure support.

A Breach That Shook the British High Street

The cyber incident, one of the largest in UK retail history, disrupted M&S's online fashion and homeware operations and left some food stores with empty shelves. Chairman Archie Norman described it as a 'sophisticated impersonation attack... involving a third party.'

The breach, traced by the National Crime Agency and National Cyber Security Centre (NCSC) to the hacking collective Scattered Spider, reportedly involved compromised login credentials of at least two TCS employees. M&S later confirmed the breach could cost the company up to £300 million in operating profit.

In response, TCS launched an internal investigation to assess whether its helpdesk was exploited. 'As no TCS systems or users were compromised, none of our other customers are impacted,' the company said. Still, cybersecurity experts warn that helpdesks can present significant vulnerabilities due to broad system access and human error risks.

Vendor Change Raises Broader Questions

Although both firms maintain that the provider switch predates the cyber-attack, the proximity of the decision has raised eyebrows among shareholders and analysts. Critics argue that helpdesk functions may now represent one of the weakest links in enterprise cybersecurity chains, especially when outsourced.

Cybersecurity analyst Kevin Beaumont noted: 'Helpdesks can be easy to abuse and easy for the operator to make a human error, especially when managing access for multiple clients.'

Retail Cyber Strategy at a Crossroads

The M&S breach highlights the increasing reliance of modern retailers on external technology partners. As digital threats escalate, governance and risk oversight of these relationships are becoming critical.

While M&S continues its recovery — reinstating its Sparks loyalty scheme and addressing product availability — the vendor change may signal a strategic shift, prioritising resilience over cost alone.

For retail CIOs and boardrooms, the TCS-M&S split serves as a high-stakes reminder: outsourcing remains a valuable model, but vendor access, credential management and incident response must be tightly controlled in a world of escalating cyber risk.

Writer's pick