Marks & Spencer Cyberattack and IT Helpdesk Contract Termination
Marks & Spencer suffered a major cyberattack in April 2025, reportedly linked to the Scattered Spider group, which used advanced social engineering tactics to impersonate senior executives and trick IT helpdesk staff into resetting critical login credentials. The attack led to the suspension of the retailer’s online shopping platform, failures in contactless payments, and significant supply chain disruptions, resulting in an estimated £300 million loss in operating profits. The incident drew public and parliamentary scrutiny, particularly regarding the role of Tata Consultancy Services (TCS), whose staff managed key support lines and password resets targeted by the attackers. Four individuals were arrested by the National Crime Agency in connection with the attack on M&S and other British retailers.
In the aftermath, Marks & Spencer replaced TCS as its IT service desk provider, a decision both companies stated was the result of a procurement process that began before the cyber incident and not a direct response to the breach. TCS continues to provide other IT services for M&S, including data center management, while cybersecurity services are handled by other vendors. The breach and its fallout have prompted M&S to reassess its digital operations, cybersecurity posture, and vendor management strategies, with full restoration of some services, such as Click & Collect, only achieved months after the attack.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
UK authorities arrest four over attacks on British retailers
The UK National Crime Agency arrested four people in connection with cyberattacks targeting M&S and other British retailers. The arrests marked a law-enforcement escalation in the investigation of the retail attack spree.
M&S warns cyberattack will cut profits by about £300 million
M&S CEO Stuart Machin said the cyber incident was expected to reduce profits by roughly £300 million in the 2025/26 financial year. The estimate underscored the scale and duration of the business impact from the attack.
M&S replaces TCS as IT service desk provider
In late October 2025, M&S ended or replaced Tata Consultancy Services in the IT service desk role while retaining TCS in other strategic technology work. Both companies said the change followed the procurement process launched in January, though it came amid fallout from the April cyberattack.
TCS says its review found no compromise of its own systems
Tata Consultancy Services said its internal investigation found no compromise of TCS networks or systems and that the relevant weaknesses were in the client environment. TCS also emphasized it did not provide cybersecurity services to M&S.
Attack attributed to Scattered Spider social engineering
Reporting later attributed the M&S intrusion to Scattered Spider, which allegedly impersonated senior M&S executives to convince helpdesk staff to reset critical credentials. The social-engineering access path became a key technical detail in understanding the breach.
Cyberattack disrupts Marks & Spencer operations
In April 2025, Marks & Spencer disclosed a major cyberattack that caused significant operational disruption. Reported impacts included outages affecting online shopping, Click & Collect, contactless payments, and parts of the supply chain.
M&S launches competitive procurement for IT service desk
Marks & Spencer began a competitive procurement process for its IT service desk contract in January 2025. Later statements from M&S and Tata Consultancy Services said the eventual contract change stemmed from this process rather than a direct finding of fault from the cyber incident.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Business rival credits cyberattack on M&S for boosting profits
therecord.media
Open sourceMarks & Spencer swaps out TCS for fresh helpdesk deal
go.theregister.com
Open sourceMarks & Spencer Terminates TCS Helpdesk Contract Amid Cyberattack Fallout
thecyberthrone.in
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Marks & Spencer Cyberattack Causes Major Financial Losses and Operational Disruption
Marks & Spencer suffered a significant cyberattack in April that resulted in extensive operational disruption and a dramatic impact on its financial performance. The retailer reported that the incident led to a 55.4% drop in profits, with first-half earnings plunging to £3.4 million ($4.4 million) from £391.1 million ($510 million) the previous year. The attack forced the company to disconnect its warehouse management and online ordering systems, halting online and international sales for weeks. Home delivery resumed in June, and 'click and collect' services were restored in August, but sales in key departments such as fashion, home, and beauty declined by 16.4% during the reporting period due to the disruption. The total cost of the cyberattack is estimated at £136 million ($177.2 million), with £83 million ($108.2 million) spent on immediate response and recovery, and the remainder on legal and professional services. Marks & Spencer expects to offset much of these costs with a £100 million ($130.4 million) insurance claim. The incident is believed to be linked to the Scattered Spider hacking collective, with several arrests made in connection to this and other attacks on UK retailers. Despite the setback, M&S reported a 22.1% increase in overall revenues, though the cyberattack's impact on profits and operations was substantial.
Mar 21, 2026
Marks & Spencer Hack Exposed Customer Data and Drove Major Retail Disruption
Marks & Spencer said a cyberattack exposed customer personal data and caused prolonged disruption across its retail operations, including suspended online orders, store outages, delivery problems, and empty grocery shelves. The company said stolen information included names, dates of birth, home and email addresses, phone numbers, household details, and online order histories, prompting password resets for online accounts. UK authorities, including the National Cyber Security Centre, worked with affected retailers and law enforcement as the fallout spread beyond M&S. The attack has been linked in reporting to **Scattered Spider** and the **DragonForce** ransomware and extortion operation, with **Co-op** and **Harrods** also reported as targets around the same period. M&S later said the intrusion began through a contractor compromised via sophisticated social engineering rather than exploitation of a flaw in its own systems, and warned the impact would continue for months. The retailer estimated the incident would cut profits by about **£300 million**, with some losses expected to be offset through insurance and other recovery measures.
May 27, 2026
Mango Customer Data Breach via Compromised Marketing Vendor
Spanish fashion retailer Mango experienced a data breach after one of its external marketing service providers was compromised, resulting in the exposure of customer information. The breach was discovered over the weekend and prompted Mango to immediately activate its security protocols to contain the incident. The compromised data included customers’ first names, countries, postal codes, email addresses, and phone numbers, but did not include last names, passwords, or financial information such as credit card or banking details. Mango emphasized that its own corporate infrastructure and IT systems were not affected by the breach, ensuring that business operations continued without disruption. The company notified affected customers via email, providing details about the nature of the breach and the specific data involved. Mango also reported the incident to the Spanish Data Protection Agency (AEPD) and other relevant authorities in compliance with regulatory requirements. The company established a dedicated email address and telephone hotline to support customers with concerns about the breach. Mango advised customers to remain vigilant for suspicious communications or requests for unusual actions, as the exposed data could be used in phishing attacks. The incident highlights the growing risk of supply chain attacks, where third-party vendors become the entry point for cybercriminals targeting large organizations. Mango’s swift response and transparency in communication were noted, as the company reassured customers that no sensitive financial or authentication data was compromised. The breach is part of a broader trend of cyberattacks targeting retailers and their supply chains, with other major brands in Spain and globally having faced similar incidents in recent months. Mango’s case underscores the importance of robust vendor risk management and the need for continuous monitoring of third-party partners. The company reiterated its commitment to data protection and announced plans to review and strengthen its security measures to prevent future incidents. Customers were encouraged to contact Mango if they noticed any suspicious activity related to their personal information. The breach serves as a reminder for organizations to ensure that their external partners adhere to stringent cybersecurity standards.
Mar 21, 2026