TCS denies cyberattack link as Marks & Spencer ends IT service desk contract

British retailer Marks & Spencer (M&S) has ended its contract with Tata Consultancy Services (TCS) to operate its IT service desk, though both companies insist the move is unrelated to a cyberattack earlier this year, the Financial Times reported.

The decision concludes a partnership of more than a decade in which TCS managed several of M&S’s technology functions. M&S said the service desk contract ended in July, following a competitive procurement process launched in January 2025, months before the cyber incident.

“TCS provides a number of technology and IT services for M&S, and we value our partnership with the TCS team,” the retailer said in a statement cited by the Financial Times. “As is usual process, we went to market to test for the most suitable product available, ran a thorough process and instructed a new provider this summer. This change has no bearing on our wider TCS relationship,” it added.

Reports had earlier suggested that the contract’s termination was linked to the cyberattack that struck M&S in April 2025, forcing the retailer to halt online orders and leaving several stores with empty shelves. The attack is estimated to have cut operating profits by up to £300 million, according to British media.

However, TCS rejected speculation that it was in any way tied to the breach. “The retailer had followed a regular competitive procurement process initiated in January and chose another service provider much prior to the cyber incident in April. The two matters are clearly unrelated,” the Indian IT firm said.

TCS called reports linking the two issues “misleading,” clarifying that the IT service desk contract represented only a small part of its overall engagement with M&S. The company continues to provide several technology and digital transformation services to the retailer.

In a statement to UK lawmakers, TCS confirmed there was no evidence of compromise across its client networks, including M&S, Jaguar Land Rover, and other major UK-based customers. TCS said its systems remained secure and that it serves more than 200 UK clients in critical industries such as finance, energy, water and nuclear sectors.

The April attack on M&S was described as a “sophisticated impersonation” campaign targeting a third-party vendor, according to M&S Chair Archie Norman, who testified before the House of Commons Business and Trade Committee. The retailer has since reinforced its cybersecurity protocols and incident response systems.

TCS, a subsidiary of Tata Sons, is one of India’s largest technology services exporters and a long-term IT partner for several global retailers. While the company’s clarification appears to have settled concerns about its role in the M&S breach, analysts say the episode highlights growing scrutiny on outsourced IT vendors following high-profile cyber incidents in the retail and banking sectors.

As cybersecurity pressures intensify, industry experts expect both companies to strengthen due diligence and transparency in their supplier networks, ensuring that operational disruptions do not undermine confidence in digital transformation partnerships.