Unlock the Editor’s Digest for free

Tata Consultancy Services is examining whether it served as a gateway for a cyber attack on Marks and Spencer, which severely disrupted their operations and resulted in the theft of customer data.

The Indian IT giant, a longstanding service provider for M&S and the largest branch of Tata Sons based in Mumbai, aims to complete its investigation by the month’s end, according to someone familiar with the situation. This individual noted that TCS had been working alongside M&S on the investigation since the breach came to light around a month ago.

The cyber attack prompted the retailer to suspend its online clothing business for over three weeks, leading to a market capitalisation loss of more than £750 million. This incident is anticipated to result in an operating profit reduction of up to £300 million. The disruption is projected to last until July, and a UK police investigation is also underway.

This week, M&S chief executive Stuart Machin blamed the hack on “human error”, in his first detailed public comments on the incident, rather than weakness in the FTSE 100 company’s systems or cyber defence.

Machin added that staff at a third-party contractor were tricked. He declined to say whether the retailer had paid a ransom or if TCS, which employs more than 600,000 people and was chosen in 2018 as M&S’s “principal technology partner”, was the gateway used by the criminals.

TCS and M&S both declined to comment.

If the attack did originate from the Indian company, “it will definitely impact their brand image”, said Vaibhav Chechani, a Mumbai-based analyst at brokerage Nirmal Bang. “It’s quite embarrassing.”

M&S is just one of several household name UK retailers, including Co-op and luxury department store chain Harrods, to face attacks from cyber criminals in recent weeks. TCS has worked with Co-op since 2009 as a “strategic partner” helping it with “business-critical and workplace transformations”.

However, the IT outsourcing company, India’s largest, was not looking into whether it was connected to the recent cyber attack against Co-op as its services were not related to its tech infrastructure, said the person familiar with the matter.

The breach is the latest to be linked to India’s more than $280bn annual revenue tech industry, which has been struggling in recent years with tepid spending on its services in the US, its largest market.

This year, the country’s second-biggest outsourcer, Infosys, agreed to pay $17.5mn to settle a number of US lawsuits related to a 2023 cyber attack against an American subsidiary.

“Cyber crimes are increasing . . . this has been going up significantly,” said Chechani. “The thieves are getting more organised.”