M&S ousts Indian outsourcer accused of £300m cyber attack failures

Marks & Spencer has ditched the Indian IT outsourcing giant accused of being at fault for its devastating cyber attack earlier this year.

The retailer, which lost an estimated £300m from the hack, has ended a long-running contract with Tata Consultancy Services (TCS) to operate the FTSE 100 company’s technology helpdesk.

M&S cancelled the deal in July, just months after the crippling cyber hack forced it to shut down online sales for weeks and left shelves empty.

The Indian group denied it was at fault for the attack, but the move to end the contract so soon afterwards will raise questions over why it was not renewed.

The hackers, from a group called Scattered Spider, are said to have gained access to M&S’s systems through “social engineering”, where hackers call technology desk helplines and impersonate executives to get their passwords reset.

In July, Archie Norman, the M&S chairman, told MPs that hackers had used “sophisticated impersonation” to gain entry “involving a third party”.

Shortly after the incident, TCS held an internal investigation into whether its technology helpdesk had acted as a gateway for hackers to access M&S’s systems. It later said it had found no fault.

However, Liam Byrne, the chairman of the business select committee, later wrote to TCS asking about its work with M&S. In a letter to MPs earlier this month, TCS said the breach at M&S occurred “in the client’s own environment” and that it had found “no indicators of compromise within the TCS network”.

TCS, which is listed in India, is a major IT contractor to UK businesses and critical national infrastructure, working with dozens of banks and financial firms.

UK companies have widely sought to cut costs by outsourcing their technology and contact centres to Indian technology giants.

However, cyber security sources have questioned whether outsourcing crucial IT functions can leave businesses exposed to new risks in the wake of the hack.

Kevin Beaumont, a cyber security researcher, warned that typical IT helpdesks could be working with multiple customers and just “run through a script”.

“It’s easy to abuse and easy for the operator to make a human error,” he said.

M&S has worked with TCS for more than a decade, agreeing to a renewed deal with the outsourcer two years ago to modernise its technology systems.

As part of that agreement, TCS promised to “simplify M&S’s technology landscape and modernise its core business systems”.

TCS still works with M&S on other technology, such as its data centre and cloud services, despite losing the technology desk contract.

The outsourcer supplies contractors and staffs contact centres where workers perform IT trouble-shooting and in some cases have access to crucial security processes, such as password resets.

M&S kicked off the process to find a new helpdesk provider in January, before the cyber attack hit.

A spokesman for the retailer said: “As is usual process, we went to market to test for the most suitable product available, ran a thorough process and instructed a new provider this summer”, adding that the change “has no bearing on our wider TCS relationship”.

The M&S spokesman added: “We value our partnership with the TCS team.”

Furthermore, a TCS spokesman said the decision to end the helpdesk contract was taken prior to the April cyber attack and is “unrelated”.

“TCS does not provide cyber security services to Marks & Spencer. This is a service that is provided by another partner of M&S,” they added.

The spokesman said the tender for the M&S helpdesk contract was started months before the cyber attack, adding: “TCS continues to work on numerous other areas of engagement in its role as a strategic partner for M&S and is proud of this longstanding partnership.”

Broaden your horizons with award-winning British journalism. Try The Telegraph free for 1 month with unlimited access to our award-winning website, exclusive app, money-saving offers and more.

Marks & Spencer has ditched the Indian IT outsourcing giant accused of being at fault for its devastating cyber attack earlier this year.

The retailer, which lost an estimated £300m from the hack, has ended a long-running contract with Tata Consultancy Services (TCS) to operate the FTSE 100 company’s technology helpdesk.

M&S cancelled the deal in July, just months after the crippling cyber hack forced it to shut down online sales for weeks and left shelves empty.

The Indian group denied it was at fault for the attack, but the move to end the contract so soon afterwards will raise questions over why it was not renewed.

The hackers, from a group called Scattered Spider, are said to have gained access to M&S’s systems through “social engineering”, where hackers call technology desk helplines and impersonate executives to get their passwords reset.

In July, Archie Norman, the M&S chairman, told MPs that hackers had used “sophisticated impersonation” to gain entry “involving a third party”.

Shortly after the incident, TCS held an internal investigation into whether its technology helpdesk had acted as a gateway for hackers to access M&S’s systems. It later said it had found no fault.

However, Liam Byrne, the chairman of the business select committee, later wrote to TCS asking about its work with M&S. In a letter to MPs earlier this month, TCS said the breach at M&S occurred “in the client’s own environment” and that it had found “no indicators of compromise within the TCS network”.

TCS, which is listed in India, is a major IT contractor to UK businesses and critical national infrastructure, working with dozens of banks and financial firms.

UK companies have widely sought to cut costs by outsourcing their technology and contact centres to Indian technology giants.

However, cyber security sources have questioned whether outsourcing crucial IT functions can leave businesses exposed to new risks in the wake of the hack.

Kevin Beaumont, a cyber security researcher, warned that typical IT helpdesks could be working with multiple customers and just “run through a script”.

“It’s easy to abuse and easy for the operator to make a human error,” he said.

M&S has worked with TCS for more than a decade, agreeing to a renewed deal with the outsourcer two years ago to modernise its technology systems.

As part of that agreement, TCS promised to “simplify M&S’s technology landscape and modernise its core business systems”.

TCS still works with M&S on other technology, such as its data centre and cloud services, despite losing the technology desk contract.

The outsourcer supplies contractors and staffs contact centres where workers perform IT trouble-shooting and in some cases have access to crucial security processes, such as password resets.

M&S kicked off the process to find a new helpdesk provider in January, before the cyber attack hit.

A spokesman for the retailer said: “As is usual process, we went to market to test for the most suitable product available, ran a thorough process and instructed a new provider this summer”, adding that the change “has no bearing on our wider TCS relationship”.

The M&S spokesman added: “We value our partnership with the TCS team.”

Furthermore, a TCS spokesman said the decision to end the helpdesk contract was taken prior to the April cyber attack and is “unrelated”.

“TCS does not provide cyber security services to Marks & Spencer. This is a service that is provided by another partner of M&S,” they added.

The spokesman said the tender for the M&S helpdesk contract was started months before the cyber attack, adding: “TCS continues to work on numerous other areas of engagement in its role as a strategic partner for M&S and is proud of this longstanding partnership.”

Broaden your horizons with award-winning British journalism. Try The Telegraph free for 1 month with unlimited access to our award-winning website, exclusive app, money-saving offers and more.