British retail giant Marks & Spencer (M&S) has officially ended its long-standing IT service desk contract with Tata Consultancy Services (TCS), following one of the most disruptive cyberattacks in its history. The decision comes as the retailer reassesses digital operations, cybersecurity risks, and vendor management after the attack cost M&S an estimated £300 million in lost operating profits and severely impacted its reputation and services.
How the Incident Unfolded
The attack occurred in April 2025 and was linked to the notorious Scattered Spider group. Hackers used advanced social engineering tactics — impersonating senior M&S executives to trick IT helpdesk staff into resetting critical login credentials. Within days, M&S’s online shopping platform was suspended, contactless payments failed, and supply chain disruptions caused empty shelves across stores. Public and parliamentary scrutiny focused on TCS, as their staff operated key support lines and had the authority over password resets — a role targeted by the attackers.
TCS Response and Contract Termination
In the wake of the attack, TCS conducted an internal investigation, concluding no indicators of compromise within its own network and stating that vulnerabilities arose from the client’s environment, not TCS systems. Both TCS and M&S clarified that the helpdesk contract termination was part of a routine competitive procurement process initiated in January, months before the cyber incident, and not a reflection of fault or cybersecurity failures. TCS continues to serve M&S in other technology domains, including data center management and transformation projects, with cybersecurity services provided by other vendors.
Strategic Lessons for Retail and IT
The fallout from the M&S breach highlights how outsourcing frontline IT functions can create unintended vulnerabilities, especially when helpdesk personnel are responsible for sensitive security controls. Independent cybersecurity analysts have warned of increased risk from supply chain and vendor personnel social engineering attacks, urging stronger verification measures and accountability for third-party IT outsourcing.
For M&S, the contract change marks a new chapter in modernizing retail operations, strengthening cyber defenses, and rebuilding customer trust. For the broader industry, it signals the growing importance of vendor governance and the need to rigorously evaluate every link in the digital supply chain to protect against advanced cyber threats.
