Key Points
- Tata Consultancy Services (TCS) has renewed its multi-year strategic partnership with Marks & Spencer (M&S), continuing as the retailer’s technology partner amid digital transformation efforts.
- The renewal comes one year after a major cyberattack in April 2025, which reportedly cost M&S hundreds of millions of pounds and involved hackers tricking TCS helpdesk employees into granting login credentials.
- M&S did not renew its specific IT service desk contract with TCS, opting for a new provider after a competitive request for proposal (RFP) process started in January 2025—months before the cyber incident—but maintained the broader partnership.
- TCS conducted an internal investigation, exonerating itself by stating no TCS systems or users were compromised, and emphasised that the service desk decision was unrelated to the attack.
- Reports in The Telegraph claimed M&S ousted TCS over £300m cyberattack failures, but TCS dismissed this as exaggerated, noting the service desk was an insignificant part of their £1 billion technology modernisation engagement.
- M&S stated: “TCS provides a number of technology and IT services for M&S and we value our partnership with the TCS team,” while clarifying the service desk change followed standard market testing.
- TCS affirmed: “As both M&S and TCS have clarified, the service desk contract with M&S followed a regular competitive RFP process initiated in January 2025, with M&S opting to proceed with other partners much prior to the cyber incident in April 2025. These matters are hence clearly unrelated.”
- The cyberattack exploited human vulnerabilities via a phone call impersonating M&S employees, leading to data loss, payment disruptions, and an estimated ₹3,000 crore (approximately £300m) financial hit for M&S.
- TCS refuted claims of losing a $1 billion contract, calling them “highly exaggerated and baseless,” and highlighted their ongoing role in numerous other areas as M&S’s strategic partner.
- Both companies stressed the continued strength of their longstanding partnership despite the service desk change and cyber incident.
Marks & Spencer (M&S), the iconic British retailer, has renewed its strategic partnership with Tata Consultancy Services (TCS) just a year after a devastating cyberattack that implicated the Indian IT firm’s helpdesk, signalling confidence in its broader technology capabilities despite past controversies.
The renewal, announced recently, underscores M&S’s commitment to digital transformation as it navigates a competitive retail landscape, even as questions linger over cybersecurity lapses from the April 2025 incident. As reported by unnamed correspondents at Retail Technology Innovation Hub, TCS will continue serving as M&S’s key technology partner, focusing on modernisation efforts valued at around $1 billion. This development follows intense scrutiny last year, when media outlets linked TCS to the breach that reportedly cost M&S £300 million.
What Triggered the 2025 Cyberattack on M&S?
The cyberattack that rocked M&S in April 2025 originated not from sophisticated firewall breaches but from a deceptively simple social engineering ploy. As detailed in a Reddit discussion by user Secure_nerd on r/Cybersecurity101, hackers impersonated M&S employees in a single phone call to the TCS helpdesk, tricking staff into divulging login credentials. This led to widespread data loss, payment processing failures, and operational chaos across the retailer’s systems.
The financial toll was immense, with estimates pegged at ₹3,000 crore—equivalent to roughly £300 million—highlighting the vulnerability of outsourced IT services to human error. M&S, known for its clothing, food, and homeware offerings, faced significant disruptions during a critical trading period, amplifying the incident’s impact on revenues and customer trust.
Why Did M&S End the IT Service Desk Contract with TCS?
Months before the cyberattack surfaced publicly, M&S initiated a standard competitive process for its IT service desk contract. As reported by analysts at Breached Company, the RFP began in January 2025, and M&S selected a new provider by summer, a decision both firms insist was coincidental to the April breach.
“This process started in January and this change has no bearing on our wider TCS relationship,” M&S stated clearly in response to speculation. TCS echoed this, noting in a filing that M&S opted for other partners “much prior to the cyber incident in April 2025.” The service desk, handling routine tech support, represented only a minor fraction of TCS’s overall £1 billion engagement, which encompasses broader technology modernisation.
How Did TCS Respond to Accusations of Blame?
TCS moved swiftly to defend its reputation post-incident. In June 2025, the firm concluded an internal investigation, declaring at its annual shareholder meeting that “no TCS systems or users were compromised” and “none of our other customers are impacted.” This self-exoneration, while technical, did little to quell media narratives.
As covered by Sreeram Ananta of Times of India, TCS dismissed a Telegraph report claiming M&S ended a ‘$1-billion’ contract over the attack, calling it “not due to cyber attack.” The commercial aspect of the service desk was “an insignificant part of TCS’ overall engagement with M&S,” TCS clarified, and the assertion of a $1 billion renewal loss was “highly exaggerated and baseless.” The Telegraph later removed the contract value figure.
TCS further asserted: “In fact, we continue to work on numerous other areas, in our role as a strategic partner for M&S and are proud of this longstanding partnership.”
What Was the Media Firestorm Surrounding the Incident?
The Telegraph’s October 2025 article, titled ‘M&S ousts Indian outsourcer accused of £300m cyber attack failures,’ ignited a media storm. As recounted by Retail Technology Innovation Hub correspondents, it closely followed TCS’s internal probe and prompted a rare joint clarification from both companies.
“TCS provides a number of technology and IT services for M&S and we value our partnership with the TCS team,” M&S responded. “Regarding the IT service desk contract specifically, as is usual process, we went to market to test for the most suitable product available, ran a thorough process and instructed a new provider this summer.”
Infosecurity Magazine reported TCS refuting claims of losing the M&S contract outright, emphasising the service desk termination predated the hack. Discussions on Reddit’s r/unitedkingdom echoed public outrage, with users decrying the termination as a fallout from the ₹3,000 crore debacle.
When and Why Was the TCS-M&S Partnership Renewed?
Fast-forward to April 2026, and TCS announced the renewal of its multi-year deal, as per The Grocer’s coverage. This move reaffirms TCS’s pivotal role in M&S’s digital push, including cloud migration, data analytics, and e-commerce enhancements—areas critical for competing with online giants like Amazon and Next.
The decision reflects a pragmatic assessment: while the service desk lapse exposed risks, TCS’s decade-long track record on larger projects outweighed isolated issues. “Hitting back,” as Retail Technology Innovation Hub phrased it, TCS leveraged the clarification to rebuild trust, positioning itself as indispensable for M&S’s transformation.
Who Are the Key Players in This Partnership?
Marks & Spencer, a high-street staple since 1884, relies on TCS for its £1 billion tech overhaul, a partnership spanning over a decade. TCS, India’s largest IT services exporter, manages complex operations for global clients, bringing expertise in AI, cybersecurity, and retail tech.
M&S CEO Stuart Machin has championed digital investments, while TCS CEO K Krithivasan oversees the firm’s UK operations. No individual quotes from executives surfaced in reports, but corporate statements underscore mutual reliance.
What Lessons Emerge for Retail Cybersecurity?
The episode spotlights social engineering as a persistent threat, even for firms with robust defences. TCS’s investigation pinpointed human error, not systemic flaws, yet it cost a contract and reputations. M&S’s RFP timing insulated broader ties, but the £300m hit prompted industry-wide reviews of outsourcing.
As Breached Company noted, technical vindication proved “insufficient to save the IT service desk contract,” urging firms to prioritise vendor vetting. Reddit users like Secure_nerd highlighted: “Hackers didn’t breach firewalls; instead, they exploited human vulnerabilities,” a wake-up call for training.
How Does This Impact M&S’s Digital Transformation?
M&S’s renewal signals resilience, accelerating goals like personalised shopping via AI and seamless omnichannel experiences. TCS’s continuity ensures no disruption to ongoing projects, vital as M&S targets £1 billion in online sales growth.
Yet, the cyber scar lingers, with stakeholders watching for enhanced protocols. Times of India’s Sreeram Ananta reported TCS’s pride in the “longstanding partnership,” hinting at fortified measures.
What’s Next for TCS and M&S Collaboration?
Looking ahead, the duo eyes AI-driven supply chains and cybersecurity overhauls. The Grocer hinted at expanded scopes, potentially including IT Security Training to fortify against future threats—essential for corporate teams handling sensitive data.