British retail giant Marks & Spencer (M&S) has ended its decade-long technology partnership with Tata Consultancy Services (TCS) after a crippling cyberattack earlier this year that caused estimated losses of ₹3,200 crore (£300 million). The attack forced M&S to shut down online operations for several weeks and left physical stores grappling with disrupted supply chains and inventory shortages.
The breach was traced to a hacking group known as Scattered Spider, which infiltrated the retailer’s systems using social engineering tactics—impersonating senior executives to deceive helpdesk staff into resetting internal access credentials.
Vendor Exposure Under Scrutiny
The attack has intensified questions around the security of outsourced IT environments, as TCS was responsible for managing M&S’s helpdesk support at the time. In testimony before the UK Parliament’s Business Select Committee, M&S Chairman Archie Norman said the breach involved “sophisticated impersonation through a third-party vendor,” though he stopped short of directly blaming TCS.
TCS launched an internal investigation and said it found no evidence of compromise within its own systems, asserting that the intrusion occurred “within the client’s environment.” The company also noted that it continues to work closely with M&S across other strategic areas, including data-center and cloud operations.
Outsourcing and the Human Element in Cybersecurity
M&S clarified that its decision to transition vendors was part of a pre-planned review process, initiated months before the breach, and unrelated to the incident. However, analysts argue that the episode highlights a larger problem — human error as the weakest link in modern cybersecurity.
Experts say that large-scale outsourcing models create complex access layers where helpdesk teams serve multiple clients using scripted workflows, making them vulnerable to impersonation and manipulation. As digital ecosystems grow more interdependent, they warn that organizations must adopt zero-trust frameworks, stronger identity verification, and multi-factor authentication to reduce the risk of social engineering attacks.
The M&S breach stands as a cautionary tale for global enterprises pursuing cost efficiencies through offshore IT partnerships. Even the most advanced security tools, experts say, cannot fully prevent incidents where people, not systems, are the entry point. The incident has reignited industry-wide conversations around vendor accountability, contractual cybersecurity standards, and the need for tighter human verification protocols in an era of rising digital threats.
