Supply chain [SC] Supply Chain

Marks & Spencer Third-Party Breach (May 2025)

2025-05-01 [vendor] Tata Consultancy Services (TCS)
Primary Source ↗

Incident Details

Marks & Spencer confirms customer data stolen in cyberattack. M&S said that some customer data — but not payment card details or passwords — had been breached in a recent cyberattack. British retailer Marks and Spencer (M&S) announced on Tuesday that it was writing to customers to confirm their personal data had been compromised in a recent cyberattack. It follows the company announcing in April that it had been managing a cyber incident that was causing disruption to its operations. The share price for M&S — a constituent of the FTSE 100 Index — has dropped 11% over the last month. Third-party company: Tata Consultancy Services (TCS).

Technical Details

Initial Attack Vector
Compromise of third-party service provider / vendor relationship
Vendor / Product
Tata Consultancy Services (TCS)
Supply Chain Attack
✅ Confirmed third-party / vendor compromise

Timeline

  1. 2025-05-01 Breach occurred
  2. 2025-05-13 Publicly disclosed