Marks & Spencer has ended its technology helpdesk contract with Tata Consultancy Services (TCS) following a cyber attack that cost the retailer an estimated £300m earlier this year.
Marks & Spencer (M&S) has terminated its long-standing contract with Indian outsourcing giant Tata Consultancy Services, months after a major cyber attack forced the retailer to shut down online operations and disrupted store deliveries.
The decision, made in July, comes after hackers from a group known as Scattered Spider infiltrated M&S’s systems through what executives described as “sophisticated impersonation” involving a third-party supplier.
Although TCS has denied responsibility for the breach, its contract to run M&S’s technology helpdesk was not renewed — a move that has intensified questions about the role of outsourced IT support in major security incidents.
£300m cyber attack fallout
The April cyber attack, which caused significant disruption to the retailer’s supply chain and e-commerce platforms, is estimated to have cost M&S more than £300m in lost sales and recovery expenses.
During a parliamentary hearing in July, M&S chairman Archie Norman told MPs that hackers gained access to internal systems by impersonating senior executives and manipulating helpdesk staff to reset passwords — a form of “social engineering.”
Shortly after, TCS launched an internal investigation to determine whether its helpdesk had served as the entry point for the hackers. The company later concluded there was “no fault” within its network and that the breach had occurred within “the client’s own environment.”
In correspondence with MPs, TCS insisted it had “found no indicators of compromise” within its systems and maintained that it was not directly responsible for the breach.
Questions over outsourcing and cyber security
The incident has reignited debate about the risks of outsourcing critical IT functions to overseas contractors. Cyber security experts warn that helpdesk operations, which often handle sensitive processes like password resets, can be vulnerable to manipulation.
Kevin Beaumont, a prominent cyber security researcher, said typical outsourced IT support desks “run through scripts” and can be prone to human error.
“It’s easy to abuse and easy for the operator to make a mistake,” he said.
M&S had worked with TCS for over a decade and renewed its partnership just two years ago as part of efforts to modernise its digital infrastructure. Under that deal, TCS promised to simplify M&S’s technology landscape and update its core business systems.
Despite losing the helpdesk contract, TCS continues to work with M&S on other projects, including data centre and cloud services.
Both companies downplay fallout
An M&S spokesperson said the decision to switch helpdesk providers followed a routine market review rather than the cyber attack.
“We went to market to test for the most suitable product, ran a thorough process and instructed a new provider this summer,” they said. “This has no bearing on our wider TCS relationship.”
A TCS spokesperson echoed that view, saying the decision was taken before the April incident.
“TCS does not provide cyber security services to Marks & Spencer. This is handled by another partner,” the company said.
TCS added that it remains “proud” of its ongoing work with M&S as a “strategic partner.”
