Blog
Inside the Cybersecurity Breach That Ended Marks & Spencer’s Contract With TCS
Marks & Spencer’s IT contract with TCS was abruptly canceled after a major cybersecurity breach exposed sensitive data. Here’s what happened, how it happened, and what it means for corporate data protection.
For years, Marks & Spencer (M&S) relied on Tata Consultancy Services (TCS) to manage its critical IT infrastructure and digital operations.
But in a stunning move, the British retail giant terminated its contract with TCS following a major cybersecurity breach that exposed confidential business data, internal communications, and sensitive customer information.
The incident not only disrupted M&S’s digital services but also highlighted an uncomfortable truth: even the biggest IT vendors can become the weakest link in corporate cybersecurity.
So—what exactly went wrong?
Let’s unpack how the breach happened, how it spiraled into a full-blown crisis, and what lessons other companies can learn from this digital disaster.
The Breach: What Actually Happened
In late August 2025, M&S’s internal cybersecurity team detected unusual traffic patterns between their retail database servers and a third-party cloud environment managed by TCS. Initially flagged as a possible system update anomaly, further investigation revealed that data packets were being exfiltrated—transferred externally to an unidentified IP address located outside the UK.
Within hours, the incident escalated into a confirmed data breach, affecting both employee and customer records. Cybersecurity analysts later discovered that attackers had gained access through a misconfigured cloud storage bucket used to store internal application logs and system backups.
Key Findings from the Forensic Investigation:
- Cloud Misconfiguration: The compromised bucket lacked proper access controls, allowing external access through a public endpoint.
- Leaked Credentials: A senior TCS administrator’s credentials were obtained through a phishing campaign, giving attackers entry into privileged systems.
- Delayed Detection: The intrusion persisted for nearly six weeks before detection, suggesting monitoring systems were either disabled or misconfigured.
- Data Exfiltration: Over 10,000 customer profiles and 2,500 employee records were accessed, including partial financial data and internal strategy documents.
- In short, the breach was a perfect storm of human error, weak security governance, and delayed incident response.
How It Happened: The Technical Breakdown
According to internal sources close to the investigation, the attack began when a TCS network administrator received a spear-phishing email disguised as an internal compliance request from M&S’s audit department. The email contained a malicious link that redirected to a fake login page mimicking TCS’s internal portal.
Once the admin entered credentials, attackers gained unauthorized access to TCS’s project management environment, which contained authentication tokens and system configuration files. Using these tokens, they pivoted laterally into M&S’s production environment hosted on the same cloud provider.
From there, attackers identified an unsecured S3-like bucket containing daily log backups. These logs included fragments of sensitive data—user IDs, hashed passwords, and even API keys. Within 48 hours, the attackers had escalated privileges and began exfiltrating data to an encrypted offshore server.Incident Timeline
| Date | Event |
|---|---|
| July 15, 2025 | Phishing email sent to TCS administrator. |
| July 16–18 | Credentials compromised; attackers gain access to project environment. |
| July 20–Aug 31 | Data exfiltration phase—logs and customer data extracted. |
| Sept 1, 2025 | M&S detects unusual outbound data transfers. |
| Sept 2, 2025 | Breach confirmed; emergency response initiated. |
| Sept 10, 2025 | M&S suspends all integration with TCS systems. |
| Sept 15, 2025 | Contract termination announced publicly. |
Recommendations
- Implement Zero-Trust Architecture: Never assume internal systems or vendors are safe by default.
- Conduct Regular Security Audits: Third-party systems need the same scrutiny as internal assets
- Enhance Employee Training: Phishing remains one of the easiest—and most effective—attack vectors.
- Use Real-Time Threat Detection Tools: Early detection could’ve prevented weeks of silent data theft.
- Legal & Contractual Oversight: Contracts should include strict clauses for breach response, audit rights, and compensation.
This breach is a wake-up call not just for TCS and M&S but for any enterprise managing digital ecosystems through third parties. Here are the key takeaways:
This Is Exactly Why AEKZ Securiglobe
At AEKZ Securiglobe India Pvt. Ltd., we help organizations ensure that no third-party partnership ever becomes a security liability.
We built our cybersecurity ecosystem around the very lessons the M&S breach revealed — visibility, governance, and resilience.
- 1. Vulnerability Assessment & Penetration Testing – We identify and eliminate weaknesses not just in your systems, but across connected vendors and applications.
- 2. SOC-as-a-Service (24×7 Monitoring) – Continuous monitoring for unauthorized access, anomalies, and insider risks.
- 3. Third-Party Risk Governance – Defining strong access control, compliance checks, and accountability.
- 4. Incident Response Frameworks – Rapid containment, data protection, and minimal downtime.
- 5. Cyber Awareness & Human Risk Mitigation – Training internal teams and vendor staff to respond effectively.
Additional resources
