Register to get 1 free article
Reveal the article below by registering for our email newsletter.
Want unlimited access? View Plans
Already have an account? Sign in
Marks and Spencer (M&S) has reportedly let go of its IT service desk partnership with its India-based IT consultancy.
According to The Telegraph, the retailer terminated its contract with Tata Consultancy Services (TCS) in July, but TCS said the move was not related to the cyber attack incident that occurred earlier this year.
The attack, attributed to a group called Scattered Spider, reportedly gained access to the retailer’s systems through “social engineering”, a technique where hackers impersonate executives to obtain password resets from IT support staff.
In July, chairman Archie Norman told MPs that the breach involved “sophisticated impersonation” and a “third party”.
TCS, which operates IT and contact services for several major UK firms, launched an internal review shortly after the incident but said it had found “no fault”.
Liam Byrne, chairman of the business select committee, later wrote to TCS asking about its work with M&S. In a letter to MPs earlier this month, TCS said the breach had occurred “in the client’s own environment” and that there were “no indicators of compromise within the TCS network”.
M&S has worked with TCS for more than a decade and renewed a wider deal with the firm two years ago worth about £750m to modernise its technology systems.
Despite the end of the helpdesk contract, TCS continues to manage the retailer’s data centre and cloud services.
A spokesman for M&S said: “As is usual process, we went to market to test for the most suitable product available, ran a thorough process and instructed a new provider this summer.”
They added: “We value our partnership with the TCS team.”
A TCS spokesman said: “The report published by The Telegraph is misleading, with several inaccuracies including the size of the contract and the continuity of TCS’ work for Marks & Spencer (M&S). As both M&S and TCS have clarified, the service desk contract with M&S followed a regular competitive RFP process initiated in January 2025, with M&S opting to proceed with other partners much prior to the cyber incident in April 2025. These matters are hence clearly unrelated. In fact, we continue to work on numerous other areas, in our role as a strategic partner for M&S and are proud of this longstanding partnership.
“On the cyber incident itself, as previously clarified, TCS conducted a review of our own networks and systems and our conclusion is that the vulnerabilities have not originated from there. TCS does not provide cyber security services to M&S. This is a service that is provided by another partner.”
