In what is quickly becoming one of the most high-profile cyber incidents of the year, Tata Consultancy Services (TCS)—India’s largest IT services firm—has confirmed it is conducting an internal investigation to determine whether its infrastructure played a role in the devastating cyberattack on Marks & Spencer (M&S). The UK retail giant has been battling the effects of this breach since late April or early May 2025, and while it originally pointed to a “third-party” source of compromise, new reports suggest that TCS’s systems may have been the attackers' point of entry.

This comes after weeks of disrupted operations at M&S, widespread customer concerns, and mounting financial losses, with the company estimating a £300 million hit to its profits and over £1 billion wiped off its market value. While M&S has not publicly named TCS as the source, multiple industry insiders and threat intelligence briefings suggest a direct connection.

Background: What We Know So Far

M&S announced it had been the target of a “sophisticated and targeted cyberattack”, which affected its internal and customer-facing systems, including its Sparks rewards program. The attackers are believed to have gained access through a third-party IT vendor. Customer data including names, dates of birth, contact information, and online order history was accessed. While no financial data or passwords were reportedly stolen, the breach still exposed personally identifiable information (PII). M&S was forced to take down online services for weeks, disrupt operations, and conduct emergency mitigation—including a forced password reset for all online users.

Now, as the dust settles, attention has turned toward TCS, a long-standing IT partner of M&S for more than a decade, managing critical parts of its digital infrastructure.

Who Is TCS and Why It Matters

Tata Consultancy Services, part of India’s Tata Group, is one of the world’s largest IT services firms. With more than 600,000 employees worldwide, it manages outsourced IT systems for some of the biggest names in business—including Co-op, Nationwide, easyJet, Jaguar Land Rover, and HSBC.

If TCS’s infrastructure was used as a gateway into M&S’s systems, it would expose a serious “concentration risk”—the vulnerability created when too many businesses rely on a few major IT vendors. A single compromised provider could potentially open doors to multiple enterprise targets across industries.

Enter the Suspected Threat Actor: Scattered Spider

Cybersecurity experts believe the attack was carried out by Scattered Spider, a notorious hacking group linked to multiple sophisticated intrusions across the UK and US in recent years. Known for their social engineering skills and targeting of managed service providers (MSPs), this group has allegedly been involved in recent incidents against Co-op and other TCS-linked clients.

Scattered Spider is described as a “highly advanced and aggressive threat actor” that uses a mix of phishing, credential harvesting, and lateral movement tactics. In this case, experts suspect that attackers leveraged TCS’s privileged access to M&S infrastructure—potentially through insecure vendor systems, remote access configurations, or dormant admin credentials.

What Was Compromised?

While M&S has reassured customers that payment card details and login credentials were not accessed, the sensitive nature of the exposed PII still poses a significant risk. Full names, email addresses, postal information, and order histories can be exploited for:

  • Targeted phishing campaigns
  • Social engineering attacks
  • Credential stuffing, if reused passwords are discovered elsewhere
  • Identity theft or synthetic ID creation

Additionally, the Sparks loyalty program, which ties customer identities to shopping behavior, was impacted—raising concerns about the future security of retail loyalty ecosystems in general.

Why This Incident Matters

For the General Public
This breach is a sobering reminder that your personal data can be compromised not only by the company you directly interact with but also through its partners. Even large, trusted brands like M&S are only as secure as the weakest link in their supply chain. It also demonstrates that service disruptions, privacy breaches, and financial losses can continue for weeks, long after a breach is first reported. Consumers are urged to be vigilant for suspicious emails, reset passwords, and monitor for identity theft or fraud.

For Students and Educators
This is a real-time case study in:

  • Third-party risk management
  • Cybersecurity governance
  • Crisis communication
  • Digital supply chain vulnerabilities

Business students can analyze the reputational impact and stock response. IT and cybersecurity learners can dissect how misconfigurations or access privileges may have allowed attackers to move laterally within systems. This is textbook material in the making.

For Corporate Employees and Executives
At both M&S and TCS, and across their extended ecosystem, this event is a wake-up call about the importance of strict vendor access controls, auditable permissions, endpoint monitoring, and shared accountability. TCS clients will now likely demand:

  • Enhanced contractual security clauses
  • Mandatory compliance with cyber resilience frameworks
  • Full transparency in third-party investigations

HSBC, also a TCS client, recently noted in its internal disclosures that cybersecurity has become its single largest operational cost—a trend now accelerating across industries.

Systemic Implications: Third-Party Vendors as Cyber "Supernodes"

This incident shines a harsh spotlight on the systemic vulnerability of outsourced IT architecture. Companies like TCS hold privileged access across hundreds of corporate networks. A single breach at a vendor can become a multiplicative threat, enabling hackers to target not one organization, but dozens or even hundreds. This creates what cybersecurity researchers call “supernode risk”—where vendors unintentionally become the weakest links in a hyperconnected digital supply chain. The efficiency of outsourcing is thus offset by an exponentially higher cyber-attack surface.

Government and Legislative Response

In the UK, this breach may give new momentum to a proposed Cyber Resilience Bill, aimed at improving supply chain security across critical industries. While still under discussion, the bill could introduce:

  • Mandatory breach disclosure timelines
  • Auditable vendor compliance frameworks
  • Liability assignment for third-party breaches
  • Fines for non-compliance or failure to notify consumers

Regulators and lawmakers are paying close attention, especially given the estimated financial damage to M&S and potential implications for other enterprise clients.

Company Responses So Far

M&S
M&S CEO Stuart Machin described the attack as “highly targeted and sophisticated”, and praised the company’s internal teams and partners for responding quickly. The company is working closely with the UK’s National Cyber Security Centre (NCSC) and has implemented:

  • Forced password resets
  • Account monitoring
  • Enhanced fraud detection systems
  • Legal options for customer compensation

TCS
TCS has launched a formal internal investigation, expected to conclude by the end of May 2025. While the company has not yet confirmed whether its infrastructure was compromised, sources indicate that deep log analysis and forensic audits are underway. TCS has stated that “customer trust and data security are top priorities”, and has pledged full cooperation with M&S, law enforcement, and regulatory bodies.

What Happens Next?

Several key developments are anticipated over the next few weeks:

  • TCS’s final audit report and public statement
  • Possible shareholder response to M&S's financial losses
  • Further revelations about whether other TCS clients were affected
  • Regulatory responses from the UK Information Commissioner’s Office (ICO) and Parliament

Final Thoughts

The M&S cyberattack is no longer just a retail sector story—it’s now a cautionary tale about digital interdependence. As companies outsource more of their IT and customer experience infrastructure, they must also take on greater responsibility for ensuring their vendors are secure, compliant, and resilient.

This breach is more than an isolated failure—it's a blueprint for rethinking how we design digital ecosystems, manage access, and hold partners accountable in an increasingly hostile cyber landscape.