TCS under scrutiny as M&S cyberattack triggers $400Mn losses

LONDON, UNITED KINGDOM — Tata Consultancy Services (TCS), the Indian IT giant and principal technology partner to Marks & Spencer (M&S), is at the center of an internal probe after hackers exploited TCS employee credentials to breach M&S systems, resulting in unprecedented operational disruption and projected losses of up to $400 million.

TCS employee logins targeted in Scattered Spider cyberattack

The sophisticated attack, attributed to the notorious Scattered Spider group, began over the Easter weekend when hackers used the login credentials of at least two TCS employees to infiltrate M&S’s IT infrastructure.

TCS has been M&S’s principal technology partner for over a decade, managing critical IT helpdesk operations and digital transformation projects.

Both companies have declined to comment publicly while TCS conducts an internal investigation, expected to conclude by the end of May, according to Reuters.

M&S chief executive Stuart Machin earlier blamed “human error” rather than a flaw in the retailer’s internal systems or cyber defenses. “Staff at a third-party contractor were tricked,” Machin said.

Security analysts believe the attackers leveraged social engineering tactics—impersonating staff and manipulating IT helpdesks—to bypass multi-factor authentication and gain privileged access, echoing previous Scattered Spider campaigns against major casinos and retailers.

Prolonged disruption reveals global supply chain vulnerabilities

M&S’s online operations have been offline for over a month, with the retailer warning that disruptions may persist until July. 

The breach forced the shutdown of online ordering, disrupted food supply chains, and exposed sensitive customer data, including names, birth dates, and purchase histories—though payment details remained secure.

The incident has highlighted the systemic risks posed by third-party vendors in globally connected supply chains. TCS, which also serves other major retailers including Co-op and Harrods, is not investigating links to other breaches, but the pattern of attacks has prompted calls for industry-wide reassessment of vendor risk management.

M&S faces financial, reputational fallout as recovery drags

M&S estimates the cyberattack will slash its operating profit by £300 million (US$400 million), with its market value dropping by over £1 billion (US$1.3 billion) since the incident. 

The retailer’s leadership, including CEO Stuart Machin, has attributed the breach to human error at a third-party contractor rather than internal system flaws. 

M&S has reset customer passwords and is working with authorities, insurers, and cybersecurity experts to restore operations and limit further damage.

Experts urge stronger third-party cybersecurity controls

The attack has triggered urgent debate among cybersecurity professionals about the adequacy of current vendor security protocols. 

Experts warn that traditional authentication methods, such as SMS-based multi-factor authentication, are increasingly vulnerable to social engineering and phishing. 

Calls are growing for the adoption of biometric verification and more rigorous employee training to counter evolving threats.

“The major disruption and sales loss M&S has seen following the incident serve as a powerful reminder to all organizations: cybersecurity must be treated as a board-level issue. No business is immune to cyber threats, and those with complex digital ecosystems are particularly vulnerable,” said Robert Cottrill, technology director at digital firm ANS.

As TCS’s internal investigation continues, the M&S breach stands as a stark warning to global retailers about the cascading risks of third-party cyber vulnerabilities—and the urgent need for robust, proactive defense strategies among outsourcing companies.