25/09/25 RangeRoverHack 1200

“The dragon wants to speak to you,” said the ominous message to Stuart Machin, the chief executive of Marks & Spencer (M&S).

“We have mercilessly raped your company and encrypted all the servers.”

The note, sent from an employee’s email address by hackers, came as a devastating cyber attack locked down M&S’s systems and forced it to halt online sales at a cost of £300m.

Since then, hackers from a gang calling themselves Scattered Spider have unleashed a wave of attacks across Britain, most recently bringing carmaker Jaguar Land Rover (JLR) to a standstill. The attackers have also been linked to a breach of customer data at the Co-op and a hack of Australian airline Qantas.

The string of attacks on major companies has led to questions about just how hackers were able to gain access.

Britain’s National Cyber Security Centre, an arm of GCHQ, warned in May that IT helpdesk teams – which can reset passwords or solve common computer gripes – were being targeted by hackers seeking to trick their way into businesses.

Some cyber experts now claim that one company – Tata Consultancy Services (TCS), an Indian IT and outsourcing giant – is being targeted and could be a weak link in the system.

On Friday, Liam Byrne, the chairman of the business and trade committee, wrote to Krithi Krithivasan, the chief executive of TCS, demanding details of TCS’s work with M&S, Co-op and JLR and asking whether it had launched an internal investigation into the cyber attack on the carmaker.

In a sign of concerns about how reliant the UK has become on the outsourcer, Byrne also called on Krithivasan to reveal the extent of TCS’s involvement with Britain’s critical national infrastructure.

In a blog post last week, Kevin Beaumont, a cyber security consultant, wrote that it is “well known in the cyber industry” that hackers were “phoning helpdesks and asking for access and getting it with ease”.

He added: “TCS provided this helpdesk service, shared across customers.”

Another cyber security source says they wouldn’t blame Tata “in particular” but that outsourced IT helpdesks have proved to be “a weak link” in a series of cyber attacks.

TCS is a giant even among India’s huge outsourcers. The company has more than 600,000 employees, including 23,000 in Britain, handling IT services on behalf of major banks and retailers.

It is the fourth most valuable company in India – worth £95bn – and is the largest part of the wider Tata Group, a conglomerate that controls Tata Motors and Britain’s JLR.

TCS has also been M&S’s main outsourcing partner for more than a decade. It renewed its deal with the retailer in 2023 with a plan to “simplify M&S’s technology landscape and modernise its core business systems” as well as to “drive a culture of futuristic thinking”.

Story Continues

Hundreds of roles have been outsourced during the course of M&S’s dealings with TCS.Stuart Machin, chief executive of M&S, received an email from the hackers

In the wake of the cyber attack on M&S in April, the Indian giant reportedly launched an internal investigation.

At a shareholder meeting weeks later, Keki Mistry, a board member at TCS, insisted that none of the company’s “systems or users were compromised” in the attack on M&S.

“None of our other customers are impacted,” Mistry said.

Still, multiple cyber security experts contacted by The Telegraph still had questions over whether TCS’s outsourced IT helpdesks could have been targeted by hackers. A spokesman for TCS declined to comment further.

‘Social engineering’ to trick helpdesks

Speaking to MPs in July, Archie Norman, the chairman of M&S, gave his own account of how the hack unravelled in April. He said hackers carried out “sophisticated impersonation” and “social engineering” to gain entry.

“Part of the point of entry in our case also involved a third party,” he said. An M&S spokesman declined to provide further details.

A source close to M&S claimed the hack was tied to a contact centre in India and that hackers had acquired “super-user” level access to its systems.

Jamie MacColl, a cyber security expert at Rusi, says these kinds of social engineering attacks have proved highly effective for Scattered Spider, a group of hackers mostly believed to be made up of British and American teenagers.

“They are English speaking with English or American accents, rather than say a Russian one,” he says. “Calling up an IT helpdesk and saying you are an employee is considerably easier.”

These hackers have proved adept at blagging their way into critical IT systems.

Some of their attacks have also grown increasingly sophisticated, MacColl says, in some cases incorporating powerful ransomware viruses from Russian cyber crime groups that they can implant into companies after tricking IT workers into handing over passwords.

Chris Yule, the director of threat research at Sophos, says outsourcers might be more vulnerable to these attacks: “When you’re working with outsourced helpdesks in particular, their primary aim is often to please their callers and not be seen as a blocker.”

Jaguar Land Rover targeted

Just as the dust had begun to settle on the cyber attack on M&S, another company linked to TCS was rocked by a devastating hack.

On Aug 31, JLR was forced to shut down its production lines after hackers infiltrated its systems with ransomware.Jaguar Land Rover’s business has been brought to a standstill - Matt Crossick/Alamy Stock Photo

Hackers from Scattered Lapsus$ Hunters, an apparent offshoot of Scattered Spider, boasted about their accomplishments on the private messaging app Telegram.

The entry point for the hack has not been confirmed, although the hackers claimed to have exploited a vulnerability in software from Germany’s SAP.

JLR has outsourced large chunks of its technical and security expertise to TCS. In 2023, the company announced an £800m deal with TCS that would see the Indian group take over much of the company’s IT division, including security.

The carmaker said the deal would “reduce JLR’s net expenditure and unlock free cash flow”.

Under laws that require staff to be offered the same role when work is outsourced, JLR employees kept their jobs, although many chose not to move over. A year later, staff were told that their jobs may be at risk.

Up to 100 staff were made redundant at the start of April, according to a former employee. The account is backed up by LinkedIn profiles that show a significant number of former JLR staff leaving TCS earlier this year.

JLR and TCS did not comment on the job losses and it is unclear how the company’s cyber security team was affected.

The Indian company has faced questions before over its service. It spent years in a legal battle with a branch of the Home Office over claims that it had botched a rebuild of its computer systems. Both sides sued each other and each were awarded damages. The University of Oxford also terminated a deal with TCS last year after glitches with the online test system it had built.

TCS’s size means it is almost inevitable that some of its clients might be subject to cyber attacks – but the company’s involvement in Britain’s two most high profile victims this year is likely to raise eyebrows.

So far this year, TCS’s shares are down by 28pc – although this appears to have been chiefly driven by concerns that cheap outsourced labour could be displaced by AI bots. Some estimates have suggested 500,000 jobs in India’s IT sector could be at risk over the next three years.

The company has also been buffeted by Donald Trump’s plans to add a $100,000 (£75,000) fee to H-1B visas, which are used by companies to bring foreign tech workers into the US.Top companies for H-1B visas approval

TCS is the second biggest beneficiary of these visas, with 5,000 approved so far in 2025 alone.

The fee could substantially ramp up their costs or prompt clients to seek alternatives.

After years of benefitting from Western companies’ cost-cutting, pressure is mounting on India’s outsourcing juggernaut.

View Comments