TCS probes role in cyberattack on UK retailer M&S after £300 mn profit hit

TCS is investigating if it was the entry point in a cyberattack on UK retailer M&S, which led to major disruptions and data theft, potentially costing the company £300 million (₹3,318 cr) in profit

IT services giant Tata Consultancy Services (TCS) is conducting an internal investigation to determine whether it was used as an entry point in a cyberattack on Marks & Spencer (M&S). The breach, which occurred over the busy Easter weekend, led to the theft of customer data and caused major disruptions to the British retailer’s operations. TCS, a long-standing technology partner of M&S, hopes to conclude its probe by the end of the month, according to a report by The Financial Times.

 

The cyberattack has had severe consequences for M&S. The company was forced to shut down its online clothing business for over three weeks. The disruption wiped more than £750 million (about ₹8,295 crore) off its market value and is expected to result in a loss of up to £300 million (about ₹3,318 crore) in operating profit. Online services are likely to remain affected until July. A UK police investigation into the matter is also underway.

 

M&S chief executive Stuart Machin recently broke his silence on the incident, blaming “human error” rather than a flaw in the retailer’s internal systems or cyber defences. “Staff at a third-party contractor were tricked,” Machin said, without confirming whether a ransom was paid or if TCS was indeed the entry point used by the hackers.

M&S and TCS: A deep partnership

Marks & Spencer began working with TCS in the early 2010s. In 2018, the retailer outsourced half of its tech jobs to the Indian firm, naming it its “principal technology partner.” The partnership was expanded again in 2023 to transform M&S’s entire tech stack.

 

A source at M&S told Reuters that TCS was a “means of access” during the cyberattack, with at least two TCS employees’ M\&S login credentials being used as part of the breach.

Not an isolated case

M&S is not the only UK retailer targeted in the recent wave of cyberattacks. The Co-op and luxury department store Harrods have also been victims. The Co-op, which has worked with TCS since 2009, reportedly managed to shut down the cyberattack before it caused significant damage.

 

Despite the link, TCS is not investigating any possible connection to the Co-op breach, as the services it provides to the supermarket chain are not related to its technology infrastructure, according to a person familiar with the matter.

Spotlight on third-party IT risks

The breach at M&S has once again brought attention to the risks associated with third-party IT outsourcing. The sector has seen declining demand from its key markets, including the United States.

 

Earlier this year, Infosys, India’s second-largest IT firm, agreed to pay $17.5 million to settle lawsuits in the US following a cyberattack on one of its subsidiaries in 2023.