When Supply Chain Vendors Become Weak Links

You can invest millions in your own security controls, hire the best talent, and implement every best practice in the book. But if your suppliers are vulnerable, so are you. The breaches at Marks & Spencer and Jaguar Land Rover in 2025 provide stark reminders that modern attackers rarely target organisations directly-they find the path of least resistance through the supply chain.

This guide examines what went wrong in these high-profile cases and provides a practical framework for managing third-party risk that goes beyond checkbox compliance.

The M&S Breach: A Helpdesk Becomes the Entry Point

In April 2025, Marks & Spencer suffered one of the most disruptive retail cyberattacks in UK history. The Scattered Spider cybercrime group infiltrated the company's systems after compromising credentials of TCS helpdesk staff who supported M&S operations.

How the Attack Unfolded

The attackers, posing as M&S employees, contacted the company's IT helpdesk-operated by Tata Consultancy Services (TCS)-and used social engineering to convince staff to reset credentials. As M&S chairman Archie Norman later told Parliament, it was "a sophisticated impersonation... they just didn't walk up and say will you change my password? They appeared as somebody with their details."

Once inside, the attackers deployed ransomware using the DragonForce platform and spent weeks moving through the network before triggering the encryption. The impact was severe:

£300 million in lost operating profit

Six-week suspension of online orders

Manual workarounds for inventory management, including staff physically checking refrigerator temperatures

Customer data exposure affecting millions, including names, addresses, dates of birth, and purchase histories

National headlines and parliamentary scrutiny

The breach exposed a fundamental supply chain vulnerability: M&S had outsourced a critical security function-identity verification and credential resets-to a third party without adequate controls to prevent social engineering attacks.

The Contract Fallout

In mid-2025, M&S ended its helpdesk contract with TCS, selecting a new provider through a competitive procurement process. Both companies maintained the decision predated the breach, but the timing spoke volumes. TCS conducted an internal investigation and found "no indicators of compromise within the TCS network," while also noting that "TCS does not provide cyber security services to Marks & Spencer. This is a service that is provided by another partner of M&S."

This defence highlights a common supply chain problem: when a breach occurs through a third party, accountability becomes disputed. The vendor points to client processes; the client blames vendor controls. Meanwhile, the business suffers.

The JLR Breach: Supply Chain Complexity Multiplies Risk

Just months later, at the end of August 2025, Jaguar Land Rover faced an even more costly attack. The Scattered Lapsus$ Hunters group-an amalgamation of Scattered Spider, Lapsus$, and ShinyHunters-compromised JLR's systems, forcing a complete global production shutdown.

Attack Vectors and Technical Details

The JLR breach differed from M&S in its entry point but shared the same fundamental theme: supply chain vulnerability. Attackers exploited a known vulnerability in SAP NetWeaver, third-party software used by JLR for business operations. Some threat intelligence suggested the attack may have leveraged data from earlier campaigns, though the precise relationship between these factors remains subject to ongoing investigation.

The operational impact was catastrophic:

£196 million direct cost to JLR in Q2 (per company results); estimated £1.9 billion total impact on UK economy (Cyber Monitoring Centre)

Six-week production halt across UK plants

1,000+ vehicles per day of lost production

5,000+ UK businesses in the supply chain affected

UK government intervention with a £1.5 billion loan guarantee to support suppliers

The Interconnectedness Problem

JLR had invested heavily in IT transformation, including an £800 million, five-year contract with TCS to manage networks, data connections, and cybersecurity. TCS had promoted "smart factories where everything is connected" using AI to "avoid plant downtime."

This interconnectedness became a vulnerability. When the attack was detected on August 31, JLR could not isolate affected factories or functions and proactively shut down systems on September 1-2. The production halt lasted until October 8 - almost six weeks of lost output. As one analyst noted, "this was far beyond data theft, it was a complete operational outage."

The Compounding Factor: Earlier Breaches

JLR's September incident was potentially exacerbated by a March 2025 breach where the HELLCAT ransomware group leaked 700 internal documents, including source code, employee data, and system configurations. The Scattered Lapsus$ Hunters may have used this intelligence to craft more convincing social engineering campaigns or identify system vulnerabilities.

This illustrates another supply chain risk: data exposed in one breach can enable future attacks. Your vendors' security failures become your attack intelligence for adversaries.

Common Threads: What Both Breaches Reveal

1. The Same Threat Actors, Different Targets

Both attacks involved Scattered Spider or affiliated groups. These actors have refined supply chain targeting to an art form. They understand that helpdesks, managed service providers, and software vendors often have privileged access to multiple client environments-and frequently weaker security controls.

2. TCS as a Common Denominator

While the specific vulnerabilities differed, both M&S and JLR had significant relationships with Tata Consultancy Services. TCS has over 200 UK clients across finance, energy, and nuclear sectors. The parliamentary scrutiny that followed these breaches led to formal questioning of TCS about its role in both incidents.

This is not to assign blame to TCS specifically, but to highlight a broader reality: when major service providers are involved in breaches, the ripple effects extend across their entire client base. Your security is partly dependent on your vendors' security-and their other clients' security practices.

3. Social Engineering Remains the Supply Chain's Achilles Heel

Whether through helpdesk calls (M&S) or potentially through compromised credentials from earlier campaigns (JLR), human factors dominated both breaches. Technical controls mean little when attackers can convince humans to bypass them.

4. The Cost of Recovery Exceeds Prevention

M&S lost £300 million; JLR incurred £196 million in direct costs with the broader UK economic impact estimated at £1.9 billion. The cost of proper third-party risk management-security assessments, contractual controls, monitoring-is a fraction of these figures. Yet organisations consistently underinvest in supply chain security until after a breach.

A Practical Framework for Supply Chain Security

Phase 1: Know Your Supply Chain (Months 1-3)

Inventory All Third Parties

Most organisations underestimate their supply chain size. Beyond direct suppliers, consider:

Cloud service providers and SaaS vendors

Managed service providers (MSPs) and IT outsourcers

Professional services firms with system access

Logistics and fulfilment partners

Marketing agencies with website and data access

Cleaning and facilities staff with physical access

Subcontractors and fourth-party dependencies

Classify by Risk Level

Not all vendors require the same scrutiny. Classify based on:

Criticality: What business functions depend on this vendor?

Data access: Do they process PII, financial data, or intellectual property?

System access: Do they have privileged access to your networks or production systems?

Concentration risk: How dependent are you on this single provider?

Both M&S and JLR classified TCS as a strategic partner with broad system access-yet the security controls applied to this relationship proved insufficient for that risk level.

Map Data Flows

Understand what data travels to each vendor, how it's protected in transit and at rest, and what their data retention and deletion policies are. Many supply chain breaches expose data organisations forgot they had shared.

Phase 2: Contractual Controls (Ongoing)

Security Requirements by Tier

Base contractual requirements on risk classification:

Critical Risk Vendors: ISO 27001 or SOC 2 Type II certification, annual penetration testing, right to audit, 24-hour breach notification, cyber insurance £5M+.

High Risk Vendors: Security questionnaire completion, evidence of controls, breach notification within 48 hours.

Medium Risk Vendors: Standard security clauses, self-assessment questionnaire.

Low Risk Vendors: Basic confidentiality and security commitments.

Specific Clauses to Include

Breach notification: Require immediate notification of any security incident, not just confirmed breaches affecting your data

Subcontractor visibility: Know and approve any fourth parties with access to your systems or data

Exit provisions: Ensure data deletion and access revocation procedures are defined contractually

Liability limitations: Consider whether standard liability caps are appropriate for cyber incidents

M&S and JLR both had substantial contracts with TCS, yet the specific security control requirements and accountability mechanisms clearly failed to prevent breaches.

Phase 3: Continuous Monitoring (Ongoing)

Annual Assessments Are Insufficient

The annual security questionnaire is industry standard-and industry inadequate. Consider:

Continuous monitoring services that track vendor security ratings and breach disclosures

Quarterly check-ins with critical vendors on security posture changes

Incident intelligence monitoring for reports of breaches affecting your supply chain

Validate, Don't Trust

When M&S chairman Archie Norman described the attack as occurring through "human error" at a third party, he highlighted a common problem: organisations trust their vendors' security without validation.

For critical vendors, consider:

Requesting and reviewing recent penetration test results

Conducting your own security assessments

Performing regular social engineering tests against vendor helpdesks that support your environment

Reviewing vendor incident response plans and testing coordination

Watch for Concentration Risk

If multiple critical vendors use the same underlying providers-cloud platforms, payment processors, MSPs-a single breach can cascade. JLR's experience with interconnected smart factory systems shows how concentration risk can force complete shutdowns rather than partial outages.

Phase 4: Incident Response Coordination

Pre-Define Communication Protocols

In the chaos of a breach, you don't want to be exchanging contact details. Pre-establish:

Primary and secondary security contacts at each critical vendor

Escalation paths for suspected incidents

Legal and communications coordination procedures

Forensic investigation cooperation agreements

Understand Your Vendor's Incident Response

When JLR was breached, they brought in third-party specialists and worked with the NCSC. But how would your vendors respond? Key questions:

Do they have 24/7 security monitoring and response?

Will they share forensic findings with affected clients?

Can they isolate your environment from other clients if needed?

What's their track record on transparency during incidents?

Specific Controls: Learning from M&S and JLR

Helpdesk and Identity Verification

The M&S breach demonstrates that helpdesks are high-value targets. If you outsource identity verification:

Multi-factor authentication for password resets: Even if helpdesk staff are compromised, attackers need additional factors

Out-of-band verification: Require callback to a registered number or verification through a separate channel

Privileged access workstations: Helpdesk staff with elevated privileges should work from hardened, monitored systems

Social engineering testing: Regularly test your helpdesk-internal or outsourced-with simulated attacks

Geographic and temporal anomaly detection: Flag unusual access patterns for verification

Network Segmentation and Zoning

JLR's complete production shutdown resulted from insufficient network segmentation. For manufacturing and operational environments:

Air gaps where possible: Critical operational technology (OT) networks should be isolated from corporate IT

Micro-segmentation: Even within connected environments, limit lateral movement through strict network zoning

Zero trust architecture: Assume breach and verify every access request, regardless of source

Emergency isolation procedures: Pre-plan how to isolate compromised segments without shutting down entire operations

Software Supply Chain Security

JLR's SAP NetWeaver vulnerability exploitation highlights software supply chain risks:

Inventory all third-party software: Including versions, patch levels, and end-of-life status

Vulnerability management: Track CVEs affecting your software supply chain with severity-based patching SLAs

Vendor security advisories: Subscribe to security notifications from all critical software vendors

Alternative vendor identification: For critical systems, know your alternatives if a vendor is compromised

The Regulatory Context

The UK government has responded to the M&S, JLR, and similar breaches with increased focus on supply chain security:

Product Security and Telecommunications Infrastructure Act: Imposes security requirements on IoT and connected device manufacturers

NCSC supply chain guidance: Expanded guidance on managing supply chain cyber risk

Sector-specific regulation: Financial services, critical infrastructure, and healthcare face increasing supply chain security mandates

Organisations should expect regulatory attention to supply chain security to intensify. The parliamentary scrutiny of both M&S and JLR indicates that lawmakers view supply chain vulnerabilities as systemic risks requiring intervention.

Measuring Supply Chain Security Programme Maturity

Level 1: Ad-hoc

No formal third-party security programme; assessments conducted inconsistently if at all.

Level 2: Defined

Security questionnaire used for new vendors; annual reviews conducted.

Level 3: Managed

Risk-based tiering of vendors; contractual security requirements by tier; regular reassessment.

Level 4: Integrated

Continuous monitoring of vendor security posture; joint incident response planning; validation of vendor controls.

Level 5: Optimised

Real-time visibility into supply chain risks; automated detection of vendor security changes; proactive threat intelligence sharing with critical vendors.

Most organisations operate at Level 2. The M&S and JLR breaches suggest that even large, well-resourced companies may not exceed Level 3 in practice, despite the sophistication of their attackers.

Conclusion: Supply Chain Security Is Your Security

The M&S and JLR breaches share a common lesson: you cannot outsource accountability for security. When M&S's helpdesk was compromised, customers blamed M&S, not TCS. When JLR's production halted, the market punished JLR's valuation, not their software vendors.

Supply chain security requires the same rigour as internal security-risk assessment, continuous monitoring, incident response planning, and regular testing. The difference is that you have less direct control and must achieve security through contract, verification, and relationship management rather than direct implementation.

The question for CISOs and security leaders is not whether your organisation can withstand a direct attack. It's whether you can withstand an attack on your least secure critical vendor. For M&S and JLR, the answer in 2025 was no. For your organisation, the time to ensure a different answer is now-before your suppliers become your attackers' entry point.

Your supply chain extends your security perimeter. Defend it accordingly.