Tata Consultancy Services confirmed its systems and user infrastructure remain uncompromised following the cyberattack that struck the retailer Marks & Spencer. At its annual shareholder meeting on 19 June, independent director Keki Mistry emphasised, “As no TCS systems or users were compromised, none of our other customers are impacted,” noting the ongoing M&S investigation does not extend to TCS systems.
M&S, which disclosed the cyber incident in April, continues to navigate significant disruption. The attack, attributed to the “highly sophisticated and targeted” Scattered Spider hacking group, reportedly utilised stolen help‑desk credentials from a TCS contractor. This led to the theft of personal data and forced the retailer to suspend online clothing sales for weeks—their online operations remain impaired, with recovery expected to extend into July.
Financial impact estimates remain stark. M&S anticipates a £300 million loss in operating profit, with weekly losses highlighted at approximately £40 million spanning clothing and food services. The retailer has drawn on its robust financial footing—boasting over £400 million in net funds before the incident—to support recovery measures. Insurance claims and cost containment strategies aim to offset roughly half of the losses.
The attack’s disruption extended to in‑store services, including payment systems and “meal‑deal” availability at stations, where stocks dwindled and meal‑deal offers were suspended. M&S CEO Stuart Machin described the incident as triggered by human error, stating that attackers duped a contractor’s help‑desk staff via social engineering tactics. Although M&S has not disclosed ransom payment details, hackers reportedly issued a ransom demand to Machin directly, claiming ransomware deployment across the retailer’s servers.
TCS had been internally probing whether its systems served as the breach gateway, an inquiry reportedly scheduled for completion by the end of May. With Mistry’s public assurance, TCS now distances itself from fault, while confirming its services to other clients—including the UK Co‑op—remained unaffected.
Beyond TCS, UK retailers Co‑op and Harrods have suffered similar breaches in recent weeks, prompting government authorities to call cybercrime “serious organised crime” and urge businesses to elevate cybersecurity priorities. The National Cyber Security Centre is rolling out new software security guidance for the sector.
M&S leadership has kick‑started accelerated IT modernisation, fast‑tracking system upgrades they had planned over two years into the next six months to strengthen defences. CEO Machin reaffirmed the retailer’s resilience, underlining transparency in communication and ongoing support to customers during the disruption.
While TCS’s reassurance quells immediate concerns among its client base, reputational challenges linger. Cybersecurity analysts warn that such high‑profile breaches erode trust in outsourcing vendors. Mumbai‑based brokerage Nirmal Bang commented that linkage to the attack would be “quite embarrassing” for TCS.
TCS’s absence of any formal probe initiation by regulators signals regulatory leniency. However, this episode spotlights the vulnerabilities inherent in third‑party access chains. As M&S works to restore its online footprint and TCS reaffirms its integrity, both firms face ongoing scrutiny over their cybersecurity governance.
