Marks & Spencer has ended its longstanding IT service desk contract with Tata Consultancy Services (TCS), months after the UK retailer suffered a major cyberattack that disrupted online operations and slashed its share price. Though both companies insist the contract termination was unrelated to the breach, the timing has drawn attention amid heightened scrutiny over third-party cybersecurity risks.

TCS, India’s largest IT services firm, was initially suspected as a possible breach vector due to the scope of integration with M&S’s IT infrastructure. However, an internal investigation cleared TCS of any involvement.

Despite this, M&S chose to proceed with a new provider following a procurement review that began before the cyberattack took place.

Why It Matters: This development reflects a growing tension between operational continuity, cybersecurity accountability, and supplier risk in enterprise environments. Even when exonerated, IT vendors can suffer reputational or contractual fallout as clients recalibrate their risk exposure.

• Termination of Longstanding Partnership Follows £300mn Cyber Impact: Marks & Spencer’s decision to end its IT service desk contract with TCS comes after financial fallout from an April cyberattack that severely disrupted operations. The breach led to a full suspension of online orders and affected inventory availability in stores. Company leadership has since projected that the incident could reduce operating profits by up to £300 million this year.

• TCS Cleared of Blame but Still Dropped: Tata Consultancy Services had been integrated into M&S’s IT architecture for over ten years. The company was asked to investigate whether its systems played a role in the breach, but concluded there were “no indicators of compromise” in its network and reaffirmed its cybersecurity posture. M&S still chose not to renew the service desk contract, raising questions about whether perception, optics, or trust factored into the final decision.

• Procurement Process Preceded the Incident, But Timing Raises Eyebrows: Both M&S and TCS maintain that the contract review began in January, three months before the cyberattack occurred. M&S described the review as part of its “usual process” of testing the market for the most suitable vendor. The eventual decision to select a different provider occurred in the wake of the April breach, suggesting that while the timeline may be legitimate, the context likely influenced stakeholder perceptions and internal risk reassessments.

• Continued Collaboration Suggests No Total Severing of Ties: Although parting ways on the service desk front, M&S continues to use TCS for several other technology and IT services. Partial disengagement suggests that while the company sought change in a specific operational area, it has not completely severed ties with its long-time technology partner.

• TCS Faces Broader Political and Regulatory Scrutiny Over Cyber Incidents: In response to inquiries from Liam Byrne, chair of the House of Commons business and trade select committee, TCS submitted a formal statement asserting that it had no connection to three high-profile cyber incidents in the UK, including those affecting M&S and Jaguar Land Rover. With over 200 UK-based clients in sectors such as finance, energy, and nuclear, TCS is now navigating increased oversight and a heightened need to maintain trust at both enterprise and national levels.

Go Deeper -> M&S ends IT service desk contract with Indian provider after cyber attack – FT