M&S TCS Cyber Attack: Explained

The cyberattack took place in late April 2025. Marks & Spencer confirmed that its systems were hit by hackers, forcing the company to suspend online orders and parts of its click-and-collect operations. In-store payments and stock supplies were also affected, causing days of disruption across the UK.

A hacker group called Scattered Spider, also known as Octo Tempest, carried out the attack. The group used phishing and social engineering to gain access to M&S systems through a third-party contractor. They later deployed ransomware called DragonForce to lock company data and demand payment.

Hackers tricked helpdesk staff into revealing passwords and login credentials by pretending to be M&S employees. Once they gained access, they used ransomware to steal and encrypt company data. M&S’s CEO Stuart Machin said the breach occurred “via sophisticated impersonation involving a third-party vendor.”

TCS has denied any direct responsibility. The company said the attack happened “in the client’s own environment.” However, reports suggested that login credentials belonging to TCS staff were used in the infiltration. M&S has not blamed TCS publicly but confirmed the breach came through an external vendor.

The cyberattack caused heavy financial damage. M&S estimated losses of around £300 million in profit for the year and more than £1 billion in market value. Online orders, payments, and store operations were disrupted for weeks, affecting both customer trust and sales.

Both M&S and TCS say the contract decision was made earlier and not linked to the hack. M&S said the helpdesk renewal process began in January 2025, before the attack. The contract officially ended in July 2025. TCS continues to work with M&S on other IT projects.

The total value of M&S’s technology contracts with TCS is estimated at around $1 billion. However, the helpdesk portion that ended this year represented only a small part of the overall deal, according to TCS’s statement to investors.

A TCS spokesperson said, “The report linking the contract change to the cyberattack is misleading. TCS continues to support M&S in many strategic areas.”
M&S CEO Stuart Machin said, “We are working to strengthen our systems and rebuild customer confidence. Our focus is on recovery and security.”

Customers faced issues placing orders online and using contactless payments in stores. Some also reported delays in deliveries. M&S warned shoppers to watch for phishing emails or scams after customer data was stolen during the breach.

Yes. In September 2025, another TCS client, Jaguar Land Rover, faced a major cyberattack that halted factory operations in the UK. TCS said its own systems were not affected and that client projects disrupted by the incident would resume soon.

Experts say repeated attacks on major clients like M&S and JLR have raised pressure on Indian IT firms. Cybersecurity is now seen as a major risk factor in outsourcing deals. Analysts say companies must strengthen vendor oversight and train staff to avoid social-engineering traps.

M&S is rebuilding its digital infrastructure and reviewing all vendor partnerships. The company expects full recovery of operations and online services. It has also started investing more in cybersecurity to prevent future breaches.

M&S hired cybersecurity firm CrowdStrike to investigate and strengthen its digital defences. The company also launched an internal audit of all third-party vendor systems.

While M&S says the breach is contained, cybersecurity experts warn that leaked data could still be used in phishing or identity theft attempts. Customers have been advised to change passwords and be cautious of suspicious emails.