According to Infosecurity Magazine, Tata Consultancy Services has denied losing a service desk contract with Marks & Spencer following a cyber-attack that hit the retailer in April 2025. TCS described media reports claiming the contract termination was linked to the security incident as “misleading” and containing “factual inaccuracies,” noting that M&S selected other suppliers through an RFP process initiated in January 2025, well before the cyber-attack occurred. This dispute highlights the complex attribution challenges that follow major security incidents.
Table of Contents
Understanding IT Service Management Contracts
Service desk contracts represent a critical component of modern IT service management ecosystems, particularly for global retailers like Marks & Spencer operating across the United Kingdom and international markets. These agreements typically involve comprehensive service level agreements (SLAs) covering response times, resolution metrics, and security protocols. What’s often misunderstood is that service desk providers like Tata Consultancy Services typically manage user support and basic IT operations rather than core security infrastructure, making direct attribution of security incidents particularly challenging. The RFP process mentioned in TCS’s regulatory filing typically involves months of evaluation, security assessments, and commercial negotiations that would have been well underway before any April security incident.
Critical Analysis of Cybersecurity Attribution
The fundamental challenge in this situation lies in accurately attributing responsibility for security breaches across complex supply chains. Major retailers typically employ layered security models where multiple vendors share responsibility for different aspects of the security posture. Service desk providers handle user authentication, password resets, and basic access management, but critical security controls like network segmentation, endpoint protection, and threat detection often fall to specialized security vendors or internal teams. The original Telegraph report alleging TCS’s responsibility appears to oversimplify this complex accountability structure. Furthermore, the timing discrepancy highlighted by TCS suggests that contract decisions were made through normal procurement cycles rather than as reactive security measures.
Industry Impact on IT Outsourcing Relationships
This public dispute reflects broader tensions in the $1+ trillion global IT services market, where security incidents increasingly trigger contractual reassessments and reputation damage. For Indian IT giants like TCS, which derive significant revenue from European and North American clients, maintaining trust in their security capabilities is paramount. The incident demonstrates how quickly security events can escalate into business relationship crises, even when direct causation isn’t established. We’re likely to see increased scrutiny of cybersecurity clauses in outsourcing contracts, with more explicit liability frameworks and incident response obligations. The market impact extends beyond TCS to all major IT service providers, as clients reassess their vendor risk management strategies and demand greater transparency into security practices.
Outlook for Cybersecurity Accountability
Looking forward, I expect to see more sophisticated approaches to cybersecurity accountability in outsourcing relationships. The traditional model of vague security responsibilities is becoming unsustainable as regulatory pressures mount and attack sophistication increases. We’ll likely witness the emergence of standardized security assessment frameworks specifically for IT service providers, along with more detailed incident response protocols that clearly delineate responsibilities during security events. For enterprises, this means conducting more thorough due diligence during vendor selection and implementing continuous monitoring of provider security postures. The TCS-M&S situation, while specific to these companies, represents a broader industry challenge that will drive evolution in how security responsibilities are defined, measured, and enforced across complex service delivery chains.
