Introduction
In April 2025, British retailer Marks & Spencer (M&S) suffered a major cyber-attack that forced it to halt online orders, impacted store operations and triggered a significant financial hit. At the centre of the investigation is the involvement of its long-standing IT services partner Tata Consultancy Services (TCS) — not as a confirmed perpetrator, but as a vendor whose credentials may have been mis-used. This article explores what happened, why it matters for businesses globally, and how organisations can learn from it.
What Happened?
Around the Easter weekend of 2025, M&S began experiencing disruptions: online orders and click-and-collect services were suspended, contactless payments affected, and some stores reported inventory shortages.
Investigations revealed the breach stemmed from "social engineering" of a third-party vendor rather than a direct systems vulnerability.
According to some sources, the threat actor used login credentials of at least two employees of TCS (a vendor for M&S) to access M&S systems.
Financially, M&S estimated the attack would cost about £300 million (approx. US $400 million) in operating profit losses during the 2025/26 year.
TCS publicly stated that none of its systems or users were compromised, and the investigation into M&S’s incident does not include TCS’s networks.
Why the Vendor Link Matters
When businesses outsource IT or use third-party vendors, they often assume the vendor will protect all access paths. But this incident shows how attackers target the weakest link — often vendor credentials or access — to penetrate the primary target. In the M&S case:
The attacker bypassed M&S’s direct defences by impersonating a vendor’s account access.
Vendor risk management and credential/identity access control become critical.
The reputational and financial damage isn’t just from the retailer, but also the broader supply chain effect.
Impact on M&S
Business operations: Online orders paused, click-and-collect delayed, some store shelves reported as bare.
Financial: Estimated circa £300 million profit impact, plus market cap losses of over £1 billion.
Customer data: Some personal customer information was confirmed stolen — names, emails, birth dates — but no payment card data was believed to be taken.
TCS’s Position
TCS clarified that none of its systems or users were compromised in the breach.
Reports that TCS’s contract was terminated by M&S in response to the breach were rebutted; TCS called them “misleading” and said the vendor change was part of a regular procurement process.
This underlines how vendor organisations must not only protect their systems but also manage clear communications, transparency and contract governance.
Lessons for Businesses & Cybersecurity Teams
Vendor & Supply Chain Risk: Regular audits, strict access controls, MFA for vendor logins, and segmentation of vendor accounts are critical.
Identity/Access Management: Attackers increasingly exploit “trusted access” rather than purely technical vulnerabilities.
Incident Response & Business Continuity: M&S’s experience shows recovery may span weeks. Having robust plans, backup systems, and alternate channels matter.
Transparent Communication: Both internal stakeholders (employees) and external (customers, investors) must be managed during incidents to maintain trust.
Cyber Insurance & Financial Planning: With large estimated losses, companies need to factor cyber-risks into planning, insurance and reserves.
Reputation & Market Impact: The cost of downtime, reputation damage, and stock losses often exceed the direct technical losses.
FAQ Section
Q1: Who attacked Marks & Spencer?
While the official attacker is not definitively named, cybersecurity sources attribute the breach to the group Scattered Spider, which is known for targeting vendors and using social-engineering methods.
Q2: Was Tata Consultancy Services (TCS) responsible for the breach?
No. TCS has stated that none of its systems or users were compromised in the incident and that the investigation into M&S’s breach does not include TCS networks.
Q3: What were the financial losses for M&S?
The retailer estimated a hit of about £300 million (approx. US $400 million) in operating profit for the 2025/26 year due to the breach and subsequent disruption.
Q4: Was customer payment data stolen?
M&S confirmed that some personal customer information (names, contact details, dates of birth) was stolen, but there was no evidence that payment card or account password data was accessed.
Q5: How can other retailers protect themselves?
Key steps include: stringent vendor access controls, multi-factor authentication (MFA) for all third-party accounts, regular vendor-risk audits, incident response planning, and segmentation of critical systems.
Q6: When did M&S resume services?
M&S restarted online orders in June 2025 and click-and-collect services resumed by August 2025, though full system normalcy took longer.
Q7: What reputation and market-value impact did the breach have?
The breach reportedly wiped over £1 billion from M&S’s market value and caused broader reputational risk, causing investor concerns and share price declines.
Published on : 27th October
Published by : Deepa R
www.vizzve.com || www.vizzveservices.com
Follow us on social media: Facebook || Linkedin || Instagram
🛡 Powered by Vizzve Financial
RBI-Registered Loan Partner | 10 Lakh+ Customers | ₹600 Cr+ Disbursed