British retail giant **Marks & Spencer (M&S)** suffered a devastating **cyberattack in April 2025**, orchestrated by the **Scattered Spider** group via **third-party vendor impersonation**, exploiting credentials from **TCS help-desk employees**. The breach forced M&S to **shut down its online shopping platform**, suspend **click-and-collect services**, and disrupt **supply chain operations**, leading to **empty shelves in physical stores**. The financial impact was severe, with **£300 million in lost operating profit** and **£1 billion wiped from market capitalization**. The attack **damaged M&S’s reputation**, eroded customer trust, and prompted the **termination of its long-standing IT support contract with TCS**. The incident underscored vulnerabilities in **outsourced vendor access**, **social engineering risks**, and **supply chain cybersecurity**, causing **operational paralysis** and **competitive disadvantage** as rivals gained market share during the outage.
Source: https://www.linkedin.com/pulse/marks-spencer-cuts-ties-tata-consultancy-services-acvke
TPRM report: https://www.rankiteo.com/company/marks-and-spencer
"id": "mar3792037102625",
"linkid": "marks-and-spencer",
"type": "Cyber Attack",
"date": "4/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Millions (online shoppers, '
'in-store customers)',
'industry': 'Retail (Clothing, Food, Home Goods)',
'location': 'United Kingdom',
'name': 'Marks & Spencer (M&S)',
'size': 'Large (Multinational, FTSE 100)',
'type': 'Retailer'},
{'industry': 'Information Technology',
'location': 'India (HQ: Mumbai)',
'name': 'Tata Consultancy Services (TCS)',
'size': 'Large (Multinational, 600,000+ employees)',
'type': 'IT Services Provider'}],
'attack_vector': ['Sophisticated Impersonation',
'Third-Party Vendor Compromise (TCS Help-Desk Access)',
'Credential Theft'],
'customer_advisories': ['M&S notifications about service disruptions',
'Apologies for order delays and stock shortages'],
'date_detected': '2025-04',
'date_publicly_disclosed': '2025-04',
'description': 'British retail giant Marks & Spencer (M&S) suffered a '
'high-profile cyberattack in April 2025, exploited through a '
'third-party vendor (Tata Consultancy Services - TCS). The '
'attack, attributed to the Scattered Spider group, used '
'sophisticated impersonation of TCS help-desk staff to gain '
"access to M&S systems. The breach disrupted M&S's digital "
'infrastructure, halted online shopping, and caused supply '
'chain disruptions, resulting in an estimated £300M in '
'financial losses and over £1B wiped from market '
'capitalization. M&S subsequently terminated its help-desk '
'contract with TCS in July 2025, though both companies '
'maintain the decision was unrelated to the breach. The '
'incident highlights risks in third-party vendor access, '
'social engineering, and outsourcing ecosystems in '
'cybersecurity.',
'impact': {'brand_reputation_impact': 'Severe (damaged reliability '
'perception, competitive disadvantage)',
'conversion_rate_impact': 'Significant (customers unable to place '
'orders)',
'customer_complaints': 'Widespread (due to unfulfilled orders and '
'stock shortages)',
'downtime': ['Extended suspension of online orders (weeks)',
'Partial halt of click-and-collect services'],
'financial_loss': '£300 million (estimated lost operating profit)',
'operational_impact': ['Empty shelves in physical stores',
'Supply chain disruptions',
'Inventory mismanagement',
'Loss of customer trust'],
'revenue_loss': '£1 billion+ (market capitalization wiped out)',
'systems_affected': ['Online Shopping Platform',
'Click-and-Collect Operations',
'Supply Chain Systems',
'Inventory Management',
'Store Stocking Systems']},
'initial_access_broker': {'entry_point': 'TCS help-desk staff credentials '
'(impersonation/social engineering)',
'high_value_targets': ['M&S online shopping '
'platform',
'Supply chain systems',
'Inventory management']},
'investigation_status': 'Ongoing (as of July 2025; TCS maintains no '
'compromise of its systems)',
'lessons_learned': ['Vendor access equals attack surface; third-party '
'personnel and processes must be treated as part of the '
'cyber footprint.',
'Social engineering (e.g., impersonation of help-desk '
'staff) remains a critical vulnerability, bypassing '
'technical defenses.',
'Outsourcing does not absolve the client of '
'accountability for cybersecurity, regulatory compliance, '
'or business continuity.',
'Contract renewal timelines should account for cyber risk '
'assessments, especially for high-access vendors.',
'Transparency in incident communication is essential to '
'mitigate reputational damage and stakeholder '
'speculation.',
"Retailers must map 'critical vendors' and integrate them "
'into cybersecurity strategies, not treat them as '
'peripheral suppliers.',
'Disruptions to digital platforms (e.g., online shopping) '
'can have immediate bottom-line impacts, including market '
'share loss to competitors.'],
'motivation': ['Financial Gain', 'Disruption', 'Data Theft (Presumed)'],
'post_incident_analysis': {'corrective_actions': ['Termination of TCS '
'help-desk contract (though '
'M&S claims unrelated to '
'breach).',
'Likely review of all '
'third-party access '
'controls and '
'authentication mechanisms.',
'Potential adoption of '
'zero-trust architecture '
'for vendor access.',
'Enhanced monitoring of '
'help-desk activities for '
'anomalous behavior.',
'Reevaluation of '
'outsourcing strategies to '
'balance cost savings with '
'cyber risk.'],
'root_causes': ['Over-reliance on third-party '
'vendor (TCS) for critical '
'help-desk access without '
'sufficient safeguards.',
'Lack of robust authentication '
'(e.g., MFA) for vendor logins, '
'enabling credential theft via '
'impersonation.',
'Inadequate segmentation between '
'M&S systems and TCS help-desk '
'access, allowing lateral '
'movement.',
'Social engineering '
'vulnerabilities in help-desk '
'processes (e.g., scripted '
'password resets).',
'Complex outsourcing ecosystem '
'with elevated third-party access, '
'increasing attack surface.']},
'recommendations': ['Implement stricter authentication for third-party vendor '
'access (e.g., MFA, behavioral biometrics).',
'Conduct regular audits of vendor cybersecurity '
'practices, especially for help-desk and privileged '
'access roles.',
'Develop incident response playbooks specifically for '
'third-party breaches, including clear communication '
'protocols.',
'Integrate vendor risk management into enterprise '
'cybersecurity frameworks, treating critical suppliers as '
'extensions of internal systems.',
'Enhance training for help-desk staff to detect and '
'resist social engineering attacks (e.g., impersonation, '
'phishing).',
'Review outsourcing contracts to include cybersecurity '
'SLAs, liability clauses, and breach response '
'obligations.',
'Adopt zero-trust principles for vendor access, '
'minimizing standing privileges and enforcing '
'least-privilege access.',
'Monitor dark web and underground forums for signs of '
'compromised vendor credentials or targeted attacks.'],
'references': [{'source': 'Media reports on M&S cyberattack and TCS contract '
'termination'},
{'source': 'Statements from M&S CEO Stuart Machin to UK '
'Parliament'},
{'source': 'TCS public statements on the incident'}],
'response': {'communication_strategy': ['Public disclosure of incident',
'Statements to MPs (UK Parliament)',
'Investor updates',
'Media responses'],
'containment_measures': ['Suspension of online orders',
'Partial halt of click-and-collect '
'services',
'Isolation of compromised systems '
'(presumed)'],
'enhanced_monitoring': 'Likely (though not explicitly stated)',
'incident_response_plan_activated': 'Yes (though details '
'undisclosed)',
'recovery_measures': ['Restoration of online shopping platform',
'Rebuilding supply chain operations',
'Customer communication campaigns'],
'remediation_measures': ['Contract termination with TCS for '
'help-desk services',
'Review of third-party access controls',
'Enhanced authentication for vendor '
'logins (presumed)']},
'stakeholder_advisories': ['M&S updates to investors and MPs',
'TCS communications to clients and media'],
'threat_actor': 'Scattered Spider',
'title': 'Marks & Spencer (M&S) Cyberattack via Third-Party Vendor (TCS) '
'Leading to £300M Loss and Contract Termination',
'type': ['Cyberattack',
'Third-Party Breach',
'Social Engineering',
'Supply Chain Attack'],
'vulnerability_exploited': ['Human Trust in Help-Desk Processes',
'Weak Authentication for Third-Party Access',
'Lack of Multi-Factor Authentication (MFA) for '
'Vendor Logins']}