Marks & Spencer has terminated its technology helpdesk contract with Tata Consultancy Services, months after the retailer suffered a cyber attack which both parties state was unrelated to the Indian firm.

M&S said the process to find a new provider began in January, following a market test and provider selection process that concluded in the summer. “Regarding the IT service desk contract specifically, as is usual process, we went to market to test for the most suitable product available, ran a thorough process and instructed a new provider this summer,” an M&S spokesperson said, adding: “This process started in January and this change has no bearing on our wider TCS relationship.”

The company added: “TCS provides a number of technology and IT services for M&S and we value our partnership with the TCS team.”

The decision follows a spring breach in which hackers believed to be part of the Scattered Spider group infiltrated systems through social engineering, reportedly posing as senior executives to manipulate password reset processes.

M&S temporarily halted online orders and faced store disruption as it worked to contain the incident. In July, Archie Norman, the M&S chair, told MPs that attackers used “sophisticated impersonation” to gain entry “involving a third party.”

TCS, which has worked with M&S for more than a decade and remains a strategic partner across other technology areas including data centre and cloud services, said the termination and the breach were unconnected. “TCS does not provide cyber security services to Marks & Spencer. This is a service that is provided by another partner of M&S,” a TCS spokesperson said.

In correspondence with parliament, the company stated it found “no indicators of compromise within the TCS network” and said the breach occurred “in the client’s own environment.”

While both parties insist the helpdesk decision predates the attack, the move closes a chapter on a contract that saw TCS operate M&S’s technology support lines, including the authority to process password resets. M&S continues to work with TCS on other programmes, and both companies have reiterated their broader partnership.

EDIT – 30 October:

In response to this news – which was initially reported on by The Telegraph with additional claims made around the nature of the companies' contract – a spokesperson for TCS has provided the following statement to Retail Systems:

"The report published by The Telegraph is misleading, with several inaccuracies including the size of the contract and the continuity of TCS’ (Tata Consultancy Services) work for Marks & Spencer (M&S). As both M&S and TCS have clarified, the service desk contract with M&S followed a regular competitive RFP process initiated in January 2025, with M&S opting to proceed with other partners much prior to the cyber incident in April 2025. These matters are hence clearly unrelated. In fact, we continue to work on numerous other areas, in our role as a strategic partner for M&S and are proud of this longstanding partnership.

"On the cyber incident itself, as previously clarified, TCS conducted a review of our own networks and systems and our conclusion is that the vulnerabilities have not originated from there. TCS does not provide cyber security services to M&S. This is a service that is provided by another partner."

---