Tata Consultancy Services (TCS), a long-time service provider to Marks & Spencer (M&S), is conducting an internal investigation to determine whether it served as the entry point for the cyberattack on the UK retailer. The Indian IT company aims to complete this internal probe by the end of the month, reported the Financial Times.
This comes after M&S chief executive Stuart Machin attributed the breach to ‘human error’, rather than vulnerabilities within the company’s systems or cybersecurity measures. Machin mentioned that employees of a third-party contractor were deceived, although he did not disclose whether a ransom was paid. He also refrained from specifying if TCS, which has been M&S’s principal technology partner since 2018, was the point of entry used by the attackers.
The breach, which resulted in the theft of some customer data, has significantly impacted M&S’ operations. It forced the British retailer to shut down its online clothing operations for over three weeks and disable certain food-related services. The hacking group known as Scattered Spider, which has also targeted other retailers such as Co-op and Harrods, is held responsible for this breach.
M&S faces significant financial impact from cyberattack
The incident resulted in a market capitalisation loss of more than £750m for the company. The disruption is anticipated to persist until July. The UK authorities are also conducting a separate investigation into the cyberattack.
Last week, M&S released its annual financial results for the year ending March 29, 2025. It acknowledged the cyberattack’s potential cost of up to £300m in operating profit for the current year. The company plans to counter this financial impact through cost management, insurance claims, and enhanced trading strategies. Additionally, M&S will categorise expenses directly associated with the breach as separate adjusting items in its financial statements.
TCS also provides services to British consumer co-operative Co-op. However, the company is not investigating any connection to a recent cyberattack on Co-op, as its services were reportedly unrelated to the Co-op’s technology infrastructure, FT said quoting a person familiar with the matter.
Meanwhile, Adidas announced a similar breach recently. In a statement, the German sportswear manufacturer said that an unauthorised external party accessed certain consumer data through a third-party customer service provider.
“We immediately took steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts,” it said in a statement. “The affected data does not contain passwords, credit card or any other payment-related information. It mainly consists of contact information relating to consumers who had contacted our customer service help desk in the past.”
As part of its response, Adidas is currently notifying potentially affected consumers about the breach.
Read more: Co-op joins M&S as latest victim in wave of cyberattacks on UK retail sector
