Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Tata Consultancy Services is internally investigating whether it was the gateway for a cyber attack against Marks and Spencer that wreaked havoc at the retailer and led to the theft of customer data.
The Indian IT company, which has provided services to M&S for more than a decade and is the largest arm of the Mumbai-headquartered conglomerate Tata Sons, hopes to conclude the probe by the end of the month, according to a person with knowledge of the matter. TCS had been investigating the incident in tandem with M&S since the retailer disclosed it a month ago, the person added.
The breach forced the retailer to shut down its online clothing business for more than three weeks, wiping more than £750mn off its market capitalisation, and is set to result in an up to £300mn hit to operating profit. The disruption is expected to continue until July and a UK police investigation was also launched.
This week, M&S chief executive Stuart Machin blamed the hack on “human error”, in his first detailed public comments on the incident, rather than weakness in the FTSE 100 company’s systems or cyber defence.
Machin added that staff at a third-party contractor were tricked. He declined to say whether the retailer had paid a ransom or if TCS, which employs more than 600,000 people and was chosen in 2018 as M&S’s “principal technology partner”, was the gateway used by the criminals.
TCS and M&S both declined to comment.
If the attack did originate from the Indian company, “it will definitely impact their brand image”, said Vaibhav Chechani, a Mumbai-based analyst at brokerage Nirmal Bang. “It’s quite embarrassing.”
M&S is just one of several household name UK retailers, including Co-op and luxury department store chain Harrods, to face attacks from cyber criminals in recent weeks. TCS has worked with Co-op since 2009 as a “strategic partner” helping it with “business-critical and workplace transformations”.
However, the IT outsourcing company, India’s largest, was not looking into whether it was connected to the recent cyber attack against Co-op as its services were not related to its tech infrastructure, said the person familiar with the matter.
The breach is the latest to be linked to India’s more than $280bn annual revenue tech industry, which has been struggling in recent years with tepid spending on its services in the US, its largest market.
This year, the country’s second-biggest outsourcer, Infosys, agreed to pay $17.5mn to settle a number of US lawsuits related to a 2023 cyber attack against an American subsidiary.
“Cyber crimes are increasing . . . this has been going up significantly,” said Chechani. “The thieves are getting more organised.”