When Trust Breaks: M&S Ends IT Service Desk Contract with TCS After £300M Cyber Attack

Breached Company

Breached Company

11 min read
When Trust Breaks: M&S Ends IT Service Desk Contract with TCS After £300M Cyber Attack

The £300 million question: Can managed service providers survive being the breach point?

In a move that sends shockwaves through the IT services industry, British retail giant Marks & Spencer has terminated its IT service desk contract with Indian tech powerhouse Tata Consultancy Services (TCS) following a devastating cyber attack that cost the retailer up to £300 million ($390 million). The contract ended in July 2025, just months after TCS was forced to conduct an internal investigation into whether its helpdesk operations served as the entry point for one of the UK's most damaging retail breaches.

The decision marks a critical inflection point in the managed services industry: even when vendors claim technical innocence, the reputational and financial damage from being implicated in a major breach can prove terminal to client relationships.

The Marks & Spencer Breach: A Timeline of Disaster

The attack began on Easter weekend 2025, when M&S customers first reported glitches with contactless payments and Click & Collect services. What initially appeared as technical hiccups quickly escalated into a full-blown crisis. By April 25, M&S was forced to suspend all online orders for clothing and home departments, with recovery taking until June to partially restore services.

According to testimony before UK Parliament's Business and Trade Committee, the attackers used "sophisticated impersonation" to trick IT helpdesk staff into resetting passwords. M&S Chairman Archie Norman explained that hackers posed as legitimate employees—one of 50,000 people associated with the company—and successfully manipulated a third-party provider into granting access. The attack was attributed to Scattered Spider, a notorious ransomware collective known for advanced social engineering tactics.

The financial impact has been catastrophic:

  • £300 million in lost operating profit for the 2025/26 financial year
  • £750 million wiped from M&S's market value at the breach's peak
  • 46 days without online clothing sales
  • Up to £100 million in potential cyber insurance claims

Customer data including names, addresses, phone numbers, and dates of birth was compromised, though M&S maintained that payment details and passwords were not accessed.

TCS: Exonerated But Still Fired

TCS, which has provided services to M&S for more than a decade and manages a $1 billion technology modernization contract for the retailer, conducted an internal investigation concluding in June 2025. The company exonerated itself, stating at its annual shareholder meeting that "no TCS systems or users were compromised" and that "none of our other customers are impacted."

However, this technical vindication proved insufficient to save the IT service desk contract. The renewal process began in January 2025—three months before the attack—and M&S ultimately selected a different provider after completing a competitive procurement process.

Both companies maintain the timing was coincidental. "This process started in January and this change has no bearing on our wider TCS relationship," M&S stated. TCS similarly emphasized that the contract termination and cyber attack were "clearly unrelated," noting that M&S chose another provider "much prior to the cyber incident in April."

Yet industry observers remain skeptical of these explanations. The optics are damaging: a managed service provider conducting IT helpdesk operations for a client that suffers a £300 million breach through social engineering targeting helpdesk staff—even if technically blameless—creates an association that's difficult to overcome.

M&S continues to use TCS for other technology services, including data center and cloud operations, suggesting the relationship hasn't been completely severed. However, the loss of the helpdesk contract represents a significant reputational blow to TCS, which provides services to 211 UK-based clients across finance, energy, water, and nuclear sectors.

A Growing Trend: MSPs Held Accountable for Client Breaches

The M&S-TCS situation is far from isolated. A pattern is emerging across the managed services industry: when clients suffer breaches connected to MSP operations, the consequences extend beyond technical remediation to contract terminations and legal battles.

The Mastagni Law Firm vs. LanTech: The Landmark MSP Lawsuit

Perhaps the most legally significant case emerged in Sacramento, California, where law firm Mastagni Holstedt sued its MSP LanTech LLC for over $1 million in damages following a February 2023 ransomware attack by the Black Basta group.

The case is particularly notable because it operates without a written contract—the parties had only a verbal agreement. According to court documents, the law firm experienced "connectivity issues" on February 24, 2023, which LanTech claimed were "resolved" without providing details about cybersecurity risks. Three days later, Mastagni suffered a "major outage" that caused it to lose access to its servers and data.

When the firm attempted to recover data through its Acronis backup system (also named in the lawsuit), they discovered their backups had been deleted. The firm ultimately paid a ransom to Black Basta to recover their data.

The lawsuit alleges LanTech was negligent for:

  • Advising the firm to switch from offline to cloud-based backup systems
  • Failing to implement adequate cybersecurity protections
  • Not maintaining backups of deleted files for at least 30 days

Cybersecurity attorney Donald Geiter noted that "if a large company was the client, the MSP would likely get fired, not sued." The reason lawsuits like this are rare, he explained, is that "often these things are resolved by cyber insurance."

BerryDunn vs. Reliable Networks: Passing the Blame

In another high-profile case, IT consulting firm Berry, Dunn, McNeil & Parker blamed Reliable Networks, an MSP based in Biddeford, Maine, for failing to secure its network after a breach affecting 1.1 million individuals' personally identifiable information.

BerryDunn, which operates a medical data analytics business, claimed the breach occurred on Reliable's network and systems, not its own. "Contrary to BerryDunn's baseless allegations, BerryDunn's own network and system were breached by a third party, through no fault of Reliable Networks," the MSP countered in a public statement.

The case highlights a critical issue in MSP relationships: when breaches occur, determining responsibility becomes murky. BerryDunn retained Reliable for "technology consultation services, on-demand IT support and training, and maintenance and monitoring services" but claimed it did not hire them specifically for cybersecurity protection—a distinction Reliable emphasized in its defense.

Nine customers are suing BerryDunn in U.S. District Court in Portland, Maine, and BerryDunn in turn is pointing the finger at its MSP. Neither company has disclosed whether written contracts existed defining cybersecurity responsibilities.

The Kaseya VSA Supply Chain Attack: Downstream Devastation

While direct evidence of widespread contract terminations following the July 2021 Kaseya VSA ransomware attack is limited, the incident demonstrated the catastrophic potential of MSP breaches. The REvil ransomware group exploited vulnerabilities in Kaseya's VSA remote monitoring and management software, affecting approximately 60 MSPs and 800-1,500 downstream businesses.

Swedish supermarket chain Coop was forced to close all 800 stores for nearly a week after its systems management provider Visma was compromised through Kaseya. Coop chose not to pay the ransom, instead rebuilding systems from scratch—a months-long process that likely strained the client-vendor relationship.

The N-able MSP spinoff from SolarWinds reported in its SEC filings that the SolarWinds breach (though N-able systems weren't directly affected) would cause customers to "defer buying or choose to cancel or not renew their agreements or subscriptions." The company warned: "If we are unable to maintain the trust of our current and prospective MSP partners and their SME customers, negative publicity continues and/or our personnel continue to have to devote significant time to the cyber incident, our business, market share, results of operations and financial condition will be negatively affected."

The Economics of MSP Liability: Why Contracts Are Ending

Industry experts point to several factors driving the trend of contract terminations following breaches:

1. Reputational Contamination

Even technical innocence isn't enough. As one attorney specializing in MSP law noted, "This MSP's name is all over the news, and not in a good way. All press is not necessarily good press." The association with a major breach creates lasting damage that makes contract renewal politically and practically difficult.

2. Insurance-Driven Decisions

Cyber insurance carriers increasingly influence vendor relationships. After a breach, insurers may mandate changes to security practices, including replacing vendors implicated in the incident. With M&S potentially claiming up to £100 million from cyber insurance, insurers like Allianz (the primary insurer) and Beazley likely had input on the TCS decision.

3. Board-Level Risk Management

Following breaches, board members and executives demand visible action. Terminating contracts with implicated vendors—regardless of technical culpability—demonstrates responsiveness and reduces perceived risk of recurrence. M&S's decision to change helpdesk providers sends a clear message: we're taking action.

4. Regulatory Pressure

With the UK's evolving cybersecurity regulations and GDPR implications, organizations face increasing pressure to demonstrate robust vendor management. Retaining a service provider implicated in a breach—even one that found no compromise in its systems—creates regulatory risk perception.

5. Supply Chain Security Mandates

The 2025 cybersecurity landscape has seen supply chain attacks become a dominant threat vector. Organizations are reassessing all third-party relationships, with particular scrutiny on providers with privileged access. The massive uptick in supply chain compromises has made boards extremely sensitive to vendor-related risks.

Smart organizations are implementing comprehensive vendor risk management programs to continuously monitor third-party security posture. Tools like VendorScope enable real-time visibility into vendor cybersecurity hygiene, while platforms such as the VRM tool help organizations systematically assess, track, and manage vendor risk across their entire supply chain ecosystem.

What MSPs Can Do to Protect Themselves

Legal and cybersecurity experts recommend several strategies for MSPs to limit liability and maintain client relationships post-breach:

Contractual Protections

Written Agreements Are Non-Negotiable: The Mastagni case demonstrates the catastrophic risk of operating without written contracts. Every MSP engagement must include:

  • Master Service Agreements (MSAs) with clear liability limitations
  • Detailed Statements of Work (SOWs) specifying exactly what the MSP will and won't do
  • Explicit language stating that not all security incidents are preventable
  • Acknowledgment that even perfect execution doesn't guarantee zero breaches

Require Client Cyber Insurance: MSPs should mandate that clients carry adequate cyber liability insurance. This protects both parties and provides resources for incident response without immediately looking to the MSP for damages.

Limit Liability Provisions: Contracts should cap MSP liability and exclude indirect, consequential, and punitive damages where legally permissible.

Operational Best Practices

Implement Refusal Waivers: When clients reject security recommendations, MSPs should require signed waivers documenting the refusal. This creates paper trails proving the MSP advised proper security measures.

Rigorous Access Controls: Helpdesk operations should implement:

  • Multi-factor authentication on all accounts
  • Verification procedures for password resets and access requests
  • Out-of-band confirmation for sensitive changes
  • Recording and logging of all support interactions
  • Regular security awareness training specifically focused on social engineering

Comprehensive Insurance Coverage: MSPs need multiple insurance policies:

  • General liability insurance
  • Errors and omissions (E&O) insurance
  • Cyber liability insurance
  • Directors and officers (D&O) insurance for personal liability protection

Continuous Security Monitoring: Implement Security Information and Event Management (SIEM) systems, regular penetration testing, and vulnerability assessments. Document all security measures taken. MSPs should regularly benchmark their security operations capabilities against industry standards—tools like RateMySoc can help assess SOC maturity and identify gaps in detection and response capabilities before clients or attackers do.

Client Communication

Set Realistic Expectations: Contracts and conversations should explicitly acknowledge that security is a risk reduction activity, not a guarantee. Even with proper controls, breaches can occur.

Transparent Incident Response: When incidents occur, immediate transparency and coordinated response with clients can salvage relationships. TCS's months-long investigation delay may have contributed to relationship strain with M&S.

Regular Security Reporting: Provide clients with regular reports on security posture, threat landscape changes, and recommended improvements. This demonstrates ongoing diligence and creates documentation of responsible management.

The Broader Implications: A Paradigm Shift in MSP Accountability

The M&S-TCS contract termination, combined with the growing number of MSP-related lawsuits, signals a fundamental shift in how organizations view third-party technology providers. The days when MSPs could point to technical specifications and claim limited responsibility are ending.

Several factors are driving this transformation:

The Human Element Can't Be Outsourced

The M&S breach succeeded through social engineering—manipulating humans rather than exploiting technical vulnerabilities. When organizations outsource their helpdesks and support functions, they're outsourcing a critical security control point. If that outsourced operation becomes the breach point, technical arguments about network segregation and system security ring hollow.

Supply Chain Attacks Are the New Normal

As the NPM supply chain attack and Salesforce OAuth compromises demonstrated in 2025, attackers systematically target service providers to reach multiple downstream victims efficiently. MSPs represent high-value targets precisely because they provide access to numerous clients.

Regulatory Evolution Demands Accountability

The EU's NIS2 Directive, coming into full effect in 2025, explicitly addresses supply chain cybersecurity. Organizations must now conduct rigorous vendor risk assessments and can face penalties for inadequate third-party security management. Similar regulations are emerging globally, making vendor selection and oversight board-level responsibilities.

This regulatory pressure has driven organizations to adopt more sophisticated approaches to vendor risk management, moving beyond annual questionnaires to continuous monitoring solutions. Modern vendor risk management platforms enable organizations to track vendor security posture in real-time, while tools like VendorScope provide automated security assessments that meet regulatory requirements for due diligence.

Insurance Market Discipline

The cyber insurance market has matured dramatically. Insurers now conduct detailed assessments of vendor relationships, security practices, and incident response capabilities. Premium pricing and coverage terms increasingly reflect third-party risk management quality. Post-breach, insurers may condition coverage on vendor changes.

The TCS Case: Implications for Global IT Services

For TCS specifically, the M&S contract loss—while officially unrelated to the breach—creates a concerning precedent. TCS serves 211 UK clients across critical sectors including finance, energy, water, and nuclear. The company's response to parliamentary inquiries emphasized finding "no indicators of compromise within the TCS network" for any incidents, including attacks on M&S, Co-op, and Jaguar Land Rover.

However, the challenge TCS and other global IT services firms face extends beyond technical security. Even perfect security hygiene won't prevent client contract terminations if the perception of risk overwhelms the reality. In the post-breach environment, perception often matters more than technical facts.

The M&S situation also raises questions about the vulnerability of offshore IT service models. When organizations outsource critical functions like IT helpdesks to providers potentially operating under different security cultures, time zones, and regulatory frameworks, they create complex security challenges. The social engineering tactics used in the M&S breach—English-speaking attackers posing as employees—specifically targeted this operational model.

Looking Forward: The New Reality for Managed Service Providers

The trend is unmistakable: MSPs implicated in client breaches face severe commercial consequences, regardless of technical culpability. Several realities are emerging:

  1. Technical Innocence Is Insufficient: Proving your systems weren't compromised no longer guarantees contract survival. The association alone creates unacceptable risk perception.
  2. Social Engineering Is the Achilles Heel: As technical defenses improve, attackers target the human element. MSPs operating helpdesks and support functions are in the crosshairs of sophisticated social engineering campaigns.
  3. Contracts Won't Save You If You're In the News: While proper contracts limit legal liability, they don't prevent relationship termination. The M&S-TCS contract continued for other services, but the high-profile helpdesk contract—the one implicated in breach testimony—ended.
  4. Insurance Is Becoming Mandatory: Both MSPs and their clients need comprehensive cyber insurance. The ability to respond to incidents without immediately seeking damages from partners helps maintain relationships during crisis.
  5. Transparency Trumps Perfection: Organizations increasingly value honest, rapid incident response over perfect security. TCS's months-long investigation and limited public disclosure may have damaged trust more than technical findings could repair.

Conclusion: Trust, But Verify—and Have a Backup Plan

The M&S decision to end its TCS IT service desk contract, regardless of the official timeline, sends a clear message throughout the managed services industry: being implicated in a major breach carries commercial consequences that transcend technical fault.

For organizations consuming managed services, the lesson is equally clear: third-party risk management isn't a checklist exercise. It requires:

  • Detailed contracts with explicit security requirements
  • Regular vendor assessments beyond annual questionnaires—leverage platforms like VendorScope for continuous monitoring or implement structured vendor risk management frameworks
  • Incident response plans that include vendor-originated scenarios
  • Segregation of duties to limit single points of failure
  • Alternative vendor strategies to enable rapid switching if needed

For MSPs, the stakes have risen dramatically. Excellence in technical security remains essential but insufficient. The new requirements include:

  • Bulletproof contracts protecting against liability
  • Impeccable incident response and communication
  • Regular demonstration of security diligence
  • Insurance coverage adequate to the risks assumed
  • Willingness to walk away from clients who won't implement proper security

The £300 million cost of the M&S breach extends beyond the retailer's balance sheet. It represents a reckoning for the entire managed services industry—a recognition that in the modern threat landscape, being a trusted technology partner means accepting responsibility that goes beyond technical specifications.

As cyber threats continue evolving, with attackers weaponizing AI and systematically targeting supply chains, the margin for error continues shrinking. MSPs that survive and thrive will be those that recognize this new reality: in cybersecurity, perception often matters as much as technical reality, and client trust—once broken—is nearly impossible to rebuild.

The question facing every MSP today isn't whether they have adequate technical controls. It's whether they can maintain client relationships after their name appears in breach investigations, court documents, or parliamentary testimony. The M&S-TCS case suggests the answer, increasingly, is no.

For more insights on the evolving cybersecurity landscape and supply chain threats, explore our coverage of major cyber attacks in 2025 and summer threat intelligence.

Read more

Google Contractor Security Breach: A Deep Dive into Insider Threats and Stolen Intellectual Property

Google Contractor Security Breach: A Deep Dive into Insider Threats and Stolen Intellectual Property

October 26, 2025 Executive Summary Google is currently investigating a significant security breach involving a contractor who systematically exfiltrated nearly 2,000 screenshots and sensitive internal files over several weeks in October 2025. The compromised data includes critical information about Google Play Store infrastructure, security guardrails, and protective systems that

By Breached Company