M&S IT help desk contract with TCS ends after cyberattack

Marks and Spencer’s (M&S) key IT contract with long-time partner Tata Consultancy Services (TCS) has ended, months after a devastating cyberattack hit the retailer.

Despite TCS clearing its own network in an internal investigation, M&S opted for a new provider following a contract renewal process that began in January.

M&S stated the change had “no bearing on our wider TCS relationship,” maintaining that the selection of a new provider was completed as part of a “usual process”.

The move follows a major hack on M&S in April, which forced the retailer to suspend online orders and resulted in bare shelves, with the total hit to operating profits expected to reach £300 million this year.

M&S Chairman Archie Norman told MPs in July that hackers had used “sophisticated impersonation” to gain entry “involving a third party.”

This comment immediately put the spotlight on the Indian outsourcing provider TCS which has worked with the UK group for over a decade. The decision to end the IT service desk contract came into effect in July.

However, TCS firmly countered, claiming M&S chose the new provider “much prior” to the April cyber incident, and stressed that the contract termination and the hack were “clearly unrelated.”

While the service desk contract is over, M&S confirmed it still uses TCS for a number of other technology services, stating, “we value our partnership with the TCS team.”

The focus now shifts to the broader implications of the cyberattack, which exploited a third-party access point. TCS, a major global IT provider, currently serves over 200 UK-based clients, including those in the finance, energy, and nuclear sectors, raising wider industry questions about supply chain security.