The UK’s Marks & Spencer (M&S) has ended its contract with Indian IT giant Tata Consultancy Services (TCS), the company that managed its service desk. The decision was made in June, months after a high-profile cyberattack affected the retailer and its customers.
M&S has confirmed an end to its decade-long partnership with TCS. The contract was concluded in June, following an internal review done by TCS itself. TCS was the prime suspect for allowing the cyberattack to happen in the first place, but it cleared itself of responsibility for the cyber breach in April.
Archie Norman, chair of M&S, told MPs in June that the attack involved “sophisticated impersonation” through a third party. The incident is expected to reduce the company’s operating profits by up to £300m this year.
However, TCS explained that the two events – the end of the service desk contract and the cyberattack – were “clearly unrelated” and noted that M&S had already selected a new provider.
According to a statement cited by The Financial Times, M&S “had followed a regular competitive procurement process initiated in January, and chose another service provider “much prior to the cyber incident in April.”
M&S declined to comment on whether the cyberattack influenced the decision. TCS continues to provide other technology and IT services to M&S.
TCS provides services to more than 200 UK-based clients in sectors including finance, energy, water, and nuclear, as well as organizations such as Jaguar Land Rover, Rolls-Royce, and the UK Ministry of Defence.
What happened to M&S in April?
This year, during the Easter weekend on April 19th, M&S customers reported that they were unable to do contactless payments and use the "Click & Collect" services across 1049 stores. By April 21st, these systems were down nationwide.
The attackers gained access to the retailer’s systems by phishing employees of a third-party vendor and stealing their login credentials.
Subsequent investigations revealed that the ransomware group behind the attack was Scattered Spider, even though earlier DragonForce used an employee's email to contact M&S CEO and claim that it was responsible for the cyberattack.
In May, M&S forecast that the hacking of its systems would cost it about $405 million in lost operating profit in its 2025/26 financial year, though it hoped to halve that impact through insurance and cost controls.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked