TCS slams 'misleading' The Telegraph report on M&S ending IT contract amid major cyber attack fall out

On Sunday, The Telegraph published an article entitled 'M&S ousts Indian outsourcer accused of £300m cyber attack failures'.

Marks and Spencer had, it noted, not renewed a deal with Tata Consultancy Services to run its tech helpdesk.

The article closely followed on from the Indian provider conducting an internal investigation over being the origin of a cyber attack that hit the UK retailer’s systems at a cost of hundreds of millions of pounds.

And it has caused something of a stir at TCS.

“TCS provides a number of technology and IT services for M&S and we value our partnership with the TCS team,” M&S said in a statement. 

“Regarding the IT service desk contract specifically, as is usual process, we went to market to test for the most suitable product available, ran a thorough process and instructed a new provider this summer.”

Meanwhile, TCS had its PR peeps contact RTIH with a spokesperson commenting: "The report published by The Telegraph is misleading, with several inaccuracies including the size of the contract and the continuity of TCS’ (Tata Consultancy Services) work for M&S.”

They added: “As both M&S and TCS have clarified, the service desk contract with M&S followed a regular competitive RFP process initiated in January 2025, with M&S opting to proceed with other partners much prior to the cyber incident in April 2025. These matters are hence clearly unrelated. In fact, we continue to work on numerous other areas, in our role as a strategic partner for M&S and are proud of this longstanding partnership.”

“On the cyber incident itself, as previously clarified, TCS conducted a review of our own networks and systems and our conclusion is that the vulnerabilities have not originated from there. TCS does not provide cyber security services to M&S. This is a service that is provided by another partner.”

Rachel Higham

Last month, it emerged that M&S Chief Digital and Technology Officer Rachel Higham was leaving the retailer in the wake of the aforementioned cyber attack.

Conducted by a group called Scattered Spider, this brought its online operations to a halt and resulted in empty shelves in stores.

A former WPP and BT Group executive, Higham was appointed by M&S in 2014. In an internal memo, it said she was "stepping back from her role…Rachel has been a steady hand and calm head at an extraordinary time for the business, and we wish her well for the future.”

At the time of the appointment, Stuart Machine, M&S Chief Executive, said that Higham joining the business, along with Mark Lemming becoming International Managing Director, “reflected the importance of Digital & Technology and capital light International growth to the next phase of our transformation. As I set out at our recent Capital Markets Day, we have more to do in both of these areas and so much opportunity.”

He added: “Rachel and Mark are fantastic additions to our executive team and I am confident that, with their leadership, we will accelerate the pace of change in the business as we reshape M&S for growth.”

Higham, meanwhile, commented: “I’m absolutely delighted to be joining Stuart Machin and the executive team at M&S at such an exciting time on their journey to reshape M&S for growth.”

Sources said that she was taking a career break. Operations Director Sacha Berendji, who has been Chief Recovery Officer since the cyber attack, has taken over her responsibilities.