TCS Holds Perfect Security Score as M&S and JLR Suffer Breaches

Tata Consultancy Services (TCS) continued to post an A‑grade (90+) on SecurityScorecard throughout 2025, with a perfect 100‑point Social Engineering score that measures how easily its employees can be targeted through public data, according to the rating firm’s publicly available metrics. Yet the same year saw two of its biggest UK clients—Marks & Spencer (M&S) and Jaguar Land Rover (JLR)—suffer costly breaches that security‑rating agencies did not anticipate. Counterpartywatch’s investigation shows that while traditional cyber‑risk scores captured TCS’s external exposure, they missed the operational weaknesses that ultimately enabled the attacks.

The first breach unfolded at M&S in April 2025. TCS had been running the retailer’s helpdesk under a roughly £1 billion contract since 2018, giving it direct access to employee credentials and password‑reset procedures. Attackers who had already exfiltrated the Active Directory password hash database in February called the helpdesk, impersonated an M&S employee, and convinced a support agent to reset a password—providing a foothold into the retailer’s network. M&S later estimated the profit impact at £300 million. Counterpartywatch notes that the breach “was not a targeting problem” but an operational failure, a type of risk that SecurityScorecard’s exposure metrics do not capture.

JLR’s incident followed a similar pattern. In March 2025, the HELLCAT ransomware group leveraged compromised contractor credentials—unchanged since 2021—to breach the automaker’s Jira environment, exposing employee names, roles, and internal system architecture. The breach escalated in August when attackers used that information to manipulate TCS‑managed IT and manufacturing systems, forcing a production shutdown that the UK Cyber Monitoring Centre valued at £1.9 billion to the national economy. As with M&S, the vulnerability lay in credential hygiene and helpdesk processes rather than in publicly visible social‑engineering exposure.

Counterpartywatch’s alternative‑data approach uncovered 201 public signals of employee strain at TCS in the year preceding both breaches, drawn from employee reviews and social‑media posts across six platforms. The analyst, Arina Razmyslovich, argues that these “organizational strain” indicators—rising workload, burnout, and morale issues—may have contributed to lapses in operational discipline, such as the failure to rotate contractor credentials or enforce strict verification for password resets. While the data set is not a direct causal proof, it highlights a blind spot in conventional cyber‑risk assessments that focus on technical controls and external threat vectors while overlooking internal process health.

The disparity between TCS’s flawless security rating and the real‑world outcomes at its clients raises broader questions for investors and risk managers. As TCS is a $30 billion firm embedded deep in the IT stacks of Fortune‑500 enterprises, its operational resilience directly affects the security posture of those clients. The incidents suggest that rating agencies may need to expand their frameworks to incorporate “operational risk” metrics—such as helpdesk verification rigor, credential rotation policies, and workforce wellbeing—if they are to provide a more accurate picture of third‑party risk.

For now, the breaches serve as a cautionary tale: a perfect score on a public rating platform does not guarantee immunity from the kinds of human‑error failures that can cripple multi‑billion‑pound enterprises. Counterpartywatch’s findings underscore the importance of looking beyond traditional metrics and monitoring the health of the people who run the systems that underpin today’s digital economy.