- Marks and Spencer has dropped its IT service desk provider
- This follows an investigation into the source of a huge cyberattack
- The tech firm says the two are 'clearly unrelated'
Marks and Spencer (M&S) confirmed it has dropped its IT Service Desk partnership with Indian IT firm Tata Consultancy Services (TCS).
The contract has been ended after TCS was investigated over speculation that it may be the source of the devastating cyberattack which halted systems in store and online - although the source is not yet confirmed.
"Regarding the IT service desk contract specifically, as is usual process, we went to market to test for the most suitable product available, ran a thorough process and instructed a new provider this summer. This process started in January, and this change has no bearing on our wider TCS relationship," a spokesperson told The Register.
Sophisticated impersonation
The M&S attack caused chaos on the high street, which has now been confirmed as a ransomware attack that also affected retail giant Co-op - and had a total financial impact of between £270 million to £440 million.
The hackers are said to have used a ‘sophisticated impersonation’ to gain entry ‘involving a third-party’ - although it hasn’t been confirmed what the exact circumstances were surrounding the incident.
TCS is still in partnership with M&S for a number of other technologies and IT services, and says that the service desk contract termination and cyberattack were ‘clearly unrelated’ and that the process had begun long before the April Incident.
"As both M&S and TCS have clarified, the service desk contract with M&S followed a regular competitive RFP process initiated in January 2025, with M&S opting to proceed with other partners much prior to the cyber incident in April 2025. These matters are hence clearly unrelated. In fact, we continue to work on numerous other areas, in our role as a strategic partner for M&S and are proud of this longstanding partnership," a TCS spokesperson told TechRadarPro.
"On the cyber incident itself, as previously clarified, TCS conducted a review of our own networks and systems and our conclusion is that the vulnerabilities have not originated from there. TCS does not provide cyber security services to M&S. This is a service that is provided by another partner."
Third party vendors and contractors are increasingly used to gain access to larger, more lucrative targets - which should be a wake up call for cybersecurity teams.
“Modern retail environments are complex, containing hundreds of connected devices integrated within sophisticated online retail supply chains,” says Neil Thacker, Global Privacy & Data Protection Officer at Netskope.
”System integrations are what make retailers agile, and able to find huge efficiencies in their business operations, but they also potentially leave companies exposed because a successful infiltration in one part of the business can quickly spread laterally to other business critical systems.”
