An Indian company that operates Marks & Spencer’s IT helpdesk is reportedly investigating whether it was used by cybercriminals to gain access to systems at the retailer, which is battling a devastating hack.
M&S said this week that “threat actors” had gained access to the retailer’s systems through one of its contractors – understood to be Tata Consultancy Services (TCS).
The clothing, food and homeware retailer confirmed the hackers used “social engineering” techniques to attack them, such as posing as a staff member to fool a helpdesk into giving away passwords.
TCS, which has worked with M&S for more than a decade, has been helping the retailer with its inquiries into the cyber-attack, which began over the Easter weekend. The retailer said the attack could cost it up to £300m in profit.
The Mumbai-based group is conducting an internal inquiry, expected to conclude this month, into whether its employees or systems were linked to the attack, according to the Financial Times.
Discerning the exact route the hackers took could be important for M&S and TCS as the Information Commissioner’s Office (ICO), the UK’s data watchdog, will examine who might face a fine for any loss of customer and staff data as a result of the hack.
The ICO can impose a fine of up to £17.5m, or 4%, of worldwide annual turnover, whichever is greater, and will take into account the nature and seriousness of a failure, how individuals have been affected, and whether other regulatory authorities are already taking action.
British Airways faced a £20m fine from the ICO in 2018 after hackers diverted traffic to a fake website allowing them to access personal data while Tesco Bank was hit with a £16.4m fine after hackers stole customer card details.
M&S has been battling to recover for a month. The attack forced M&S to stop orders via its website, while deliveries of food and fashion into stores and some deliveries to its online food partner, Ocado, have also been disrupted.
M&S has admitted that some personal information relating to thousands of customers – including names, addresses, dates of birth and order histories – was taken.
The TCS investigation comes as M&S’s operations continue to be disrupted by the hack, with stock levels in stores affected. Its website is not expected to be fully functioning again until July.
The attack, which has been attributed to the hacking collective Scattered Spider, emerged days before similar cyber-attacks were reported against the Co-op and Harrods.
Staff at some of the Co-op’s grocery stores are still struggling to keep shelves fully stocked this week.
TCS was approached for comment.
