Marks & Spencer and Tata Consultancy Services have clarified why their long-running helpdesk arrangement changed this year, after media reports linked the decision to a high-profile April cyber breach.
Samay in 60 Seconds
- Marks & Spencer (M&S) ended its IT service-desk contract in July 2025 after a routine competitive tender that began in January 2025.
- Tata Consultancy Services (TCS) says the decision was made before the April cyberattack and calls recent press coverage misleading.
- The April incident forced M&S to suspend parts of its online operations for weeks and is reported to have reduced operating profits by about £300m.
- Investigators say the breach involved social-engineering impersonation via a third-party helpdesk; TCS says it found no compromise within its own network.
Marks and Spencer TCS Cyber Attack Key Details
| Detail | Information |
|---|---|
| Event | M&S cyber incident and helpdesk contract change |
| Cyber incident | April 2025 — social engineering impersonation affecting online sales |
| Estimated loss | About £300 million operating profit impact (reported) |
| Contract process | Tender began January 2025; new provider instructed in summer 2025 |
| TCS position | Says decision pre-dated attack and that no indicators of compromise were found in TCS systems |
What happened — marks & spencer and the service-desk change
Marks & Spencer ran a competitive procurement for its IT service desk starting in January 2025 and selected a different provider in the summer. The retailer says the move followed its standard review process and has no bearing on its wider relationship with TCS.
Separately, Marks & Spencer suffered a significant cyber incident in April 2025 that disrupted clothing and furniture online sales for several weeks and affected some store operations. The company has worked with UK agencies and external partners as part of the response, and the incident is reported to have materially affected the year’s operating profits.
Why it matters — vendor risk and corporate continuity
Many large retailers outsource functions such as helpdesks to centralise support and control costs. When attackers target human processes — for example by impersonating senior executives to trick helpdesk staff — the risk crosses simple perimeter defences. The M&S episode highlights how social engineering can be a gateway to broader disruption, and why firms must harden verification and privileged-access controls across vendor channels.
What TCS says — denial and clarification
TCS described a recent newspaper story that linked the helpdesk contract change to the cyber incident as misleading and factually incorrect. The company says the helpdesk tender predated the April attack, that the service-desk work represents a small part of its overall engagement with M&S, and that internal checks found no indicators of compromise within TCS systems. TCS added that it continues to provide multiple other technology services to M&S.
Investigations and parliamentary scrutiny
M&S chairman Archie Norman told MPs that attackers used “sophisticated impersonation involving a third-party vendor.” The UK Business and Trade Select Committee has sought clarification from suppliers and vendors connected to the incident, and the breach has prompted wider scrutiny of vendor controls and incident reporting practices.
Impact on you — what companies and customers should note
- Customers: Service outages and recovery periods can be prolonged after complex breaches; expect delays while systems and supply chains are restored.
- Businesses: Regular vendor reviews remain normal commercial practice — but boards and security teams should prioritise verification procedures, multi-factor authentication and strict segmentation to limit social-engineering risk.
- Suppliers: Commercial contracts for non-security services may be rebid for ordinary commercial reasons; transparent cooperation with investigations helps maintain trust with clients and regulators.
Samay’s Voice — quick take
Two clear timelines matter: M&S began tendering for a new helpdesk in January 2025, and a damaging cyber incident struck in April. Those facts allow for separate explanations — commercial procurement and a security breach — while also underscoring the need for stronger human verification across vendor channels.
Street FAQs
Did Marks & Spencer terminate TCS because of the hack?
No. Both M&S and TCS say the helpdesk tender began in January and the choice of a new provider was part of a standard procurement process. Neither company says the tender decision was made in response to the April incident.
Was TCS responsible for the breach?
TCS says its internal scans found no evidence of compromise in its network and that it does not provide M&S’s cybersecurity services. Investigations and parliamentary inquiries have sought further details; no public regulator has attributed legal liability to TCS.
How large was the financial hit to Marks & Spencer?
Reports indicate the attack may reduce operating profits by roughly £300 million for the year; the company has engaged insurers and investigators as part of its recovery and response.
Will UK firms stop outsourcing to Indian providers?
Outsourcing remains widespread. The incident has renewed debate about vendor oversight, human-factor controls and contractual accountability, but many firms continue to rely on offshore partners while strengthening risk controls.
Samay Recommends
Sources
- Public statements from Tata Consultancy Services and Marks & Spencer.
- UK parliamentary testimony and reporting on the April 2025 incident.
- Contemporary reporting from Reuters, Financial Times, The Telegraph and other UK outlets.
