- Marks and Spencer has dropped its IT service desk provider
- This follows an investigation into the source of a huge cyber attack
- The tech firm says the two are ‘clearly unrelated’
Marks and Spencer (M&S) has confirmed that it has dropped its IT Service Desk partnership with Indian IT firm Tata Consultancy Services (TCS).
The contract has been terminated after TCS was investigated amid speculation it may be the source of the devastating cyber attack that shut down in-store and online systems – although the source has yet to be confirmed.
“In terms of the IT service desk contract specifically, as is a normal process, we went to market to test for the most suitable product available, ran a thorough process and briefed a new provider this summer. This process started in January and this change has no impact on our wider TCS relationship,” a spokesperson said. The register.
Sophisticated imitation
The M&S attack wreaked havoc on the high street, which has now been confirmed as a ransomware attack that also hit the retail giant Co-op – and had a total financial impact of between £270m and £440m.
The hackers are said to have used a ‘sophisticated impersonation’ to gain access ‘with the involvement of a third party’ – although it has not been confirmed what the exact circumstances were surrounding the incident.
Still partnering with M&S on a number of other technologies and IT services, TCS says the service desk contract termination and cyber attack were ‘clearly unrelated’ and that the process had begun long before the April incident.
“As both M&S and TCS have clarified, the service desk contract with M&S followed a regular competitive RFP process that commenced in January 2025, with M&S choosing to continue with other partners well in advance of the April 2025 cyber incident. These relationships are therefore clearly independent. In fact, we continue to work in several other strategic areas and we have long championed this role in our partnership,” said a spokesperson for TCS TechRadarPro.
“On the cyber incident itself, as previously clarified, TCS has conducted a review of our own networks and systems and our conclusion is that the vulnerabilities did not originate there. TCS does not provide cyber security services to M&S. This is a service provided by another partner.”
Third-party vendors and contractors are increasingly being used to gain access to larger, more lucrative targets—which should be a wake-up call for cybersecurity teams.
“Modern retail environments are complex and contain hundreds of connected devices integrated into sophisticated online retail supply chains,” said Neil Thacker, Global Privacy & Data Protection Officer at Netskope.
“System integrations are what make retailers agile and able to find huge efficiencies in their business operations, but they also potentially leave companies exposed because a successful infiltration in one part of the business can quickly spread laterally to other business-critical systems.”
The best protection against identity theft for all budgets
