Full Report
The Elephant in The Biz: outsourcing of critical IT and cybersecurity functions risks UK economic securityRecently, there’s been three major UK ransomware and/or extortion incidents at three big UK companies — Co-op Group, Marks and Spencer and Jaguar Land Rover. One thing connects them all: in the past 5 years, they all outsourced key IT and cybersecurity services to TCS, aka Tata Consultancy Services. I’m not saying TCS are bad, or totally at fault. But I want to unpack what is happening here, as the wider context is important.Estimates vary as to the cost of these incidents but the Cyber Monitoring Centre pegs the cost at Co-op and M&S at around half a billion pounds — and retail industry groups also land around that figure.Cyber Monitoring Centre estimates cost of UK retail attacks at £440 millionMarks and Spencer are still recovering systems several months later, and Co-op Group spent over a month without key IT systems.With Marks and Spencer, their insurance provider suffered a “full tower loss”, which equates the cost going over M&S £100m cover. M&S expect the cyber insurance policy to cover around half the total cost. Co-op Group had no cyber insurance cover and so refused to pay the ransom, hence why they attracted the most escalation from the teenage hackers involved in the media.Jaguar Land Rover are currently 15 days into a total car manufacturing shutdown. As I write this, over two weeks in, staff still have no idea when IT systems will be restored, so car manufacturing can restart.Costs so far to Jaguar Land Rover are currently unknown — BBC report estimates of around £10m a day, so somewhere in the region of £150m so far. However, this is ‘just’ profit losses — when you factor in cyber incident response, legal fees and everything else — plus the fact the incident is still not resolved and services not recovered — it’s very possible this will significantly rise.The Telegraph claim JLR are losing £72m a day, which would bring the current total to just over a billion pounds if accurate.Jaguar Land Rover production shutdown could last until NovemberThe result? These three incidents alone likely cost the orgs involved, all told, around a billion UK pounds. The only suspects arrested have been released on bail and haven’t been charged months later, and are mostly teenagers. Some of the suspects have had prior convictions in the UK for similar incidents… but simply kept keeping on keeping on.Noman wishes you keep on keeping onBut here’s the thing. A billion quid. Sounds bad… but they’re private companies, so who cares?The BBC reports Jaguar Land Rover made just over £2 billion in profit in the past year. They can afford to take a hit too. They’ve saved a lot of money by outsourcing to TCS, after all.This following might make you care.The BBC also reports that the downstream impact on Jaguar Land Rover’s suppliers — many small to medium sized businesses — is leading to staff being laid off. There are now growing calls for the UK government to set up a furlough scheme, at the taxpayer expense, to pay the suppliers to keep staff on, while Jaguar Land Rover try to recover their largely outsourced IT systems.Jaguar Land Rover: Some suppliers 'face bankruptcy' due to hack crisisEssentially, we’ve ended up in a situation where to deliver shareholder value, large organisations are incentivised to outsource core IT and cybersecurity functions to a low cost managed service providers abroad — and then when hit with ransomware, the insurance will cover paying the ransom (some insurers will actually push for payment to criminal groups, to cover their potential losses).This cycle plays into the ransomware economy, where the same criminal groups can then reinvest the money into purchasing exploits and gaining initial access to other organisations. Because ransomware is such big business, many of the groups have far bigger research and development funds than the organisations they’re attacking. Especially when the organisations they’re attacking have outsourced key areas to low cost providers.The net effect is ransomware and extortion groups continue to gain access to more organisations, and risk UK economic security. It is only a matter of time before they hit some kind of essential UK service that directly impacts millions of people — by which point millions of people will be asking what is being done about the problem. And the answer is: not enough. When we’re at the stage of having to look at urgent furlough schemes for JLR’s suppliers to rightly save jobs, it isn’t so much a sign as the canary in the coalmine has died, but that the coalmine is also about to collapse on people.How we got hereCo-op Group began it’s relationship with TCS over a decade ago, but really started to outsource key IT services to TCS around 2017. At the time I managed their Security Operations Centre. They outsourced their IT helpdesk — thought to be the intrusion point for the incident — to TCS, transferring staff to TCS and ultimately making roles redundant.At the time, I took this photo in the public lobby of 1 Angel Square, where a colleague member had written they were working on selling the company to Tata (TCS) as part of “Fuel for Growth”:Colleagues were not happyAfter I left the organisation in late 2019, they later fully outsourced my team, the Cyber Security Operations Centre, to TCS, along with various other key cybersecurity services. That team is tasked with detecting unauthorised access. They also centralised more IT teams, and then transferred those services to TCS too around 2020, making colleagues redundant in the process:UK's Co-operative Group to centralise IT teams across various divisions, warns redundancies 'inevitable'Co-op Group recorded £161m in pre-tax profits in the past financial year.Marks and Spencer started their relationship with TCS around a similar time, also outsourcing key IT services and making staff redundant:M&S outsources half of its tech jobsThis resulted in redundancies. This included their IT helpdesk — also the point of entry for the incident. My understanding is, as this relationship progressed, they also started outsourcing elements of their cybersecurity function to TCS — including the team tasked for detecting unauthorised activity.M&S recorded pretax profits of £876m in the past financial year.Jaguar Land Rover follows a similar pattern. They outsourced key areas of IT to TCS. Then went on to outsource bits of cyber, including Security Operations, Governance Risk and Compliance, and Identity and Access Management to TCS. Although staff were transferred using TUPE, many were later made redundant. That TUPE pattern is repeated across the orgs.JLR recorded pre-tax profits of £2.5 billion in the past financial year, their best performance in a decade.TCS deny everythingThey don’t. TCS deny any of their systems were breached. Their statements on the matter should be parsed carefully to see exactly what statement they are making or answering.It is well known in the cyber industry that the LAPSUS$ kids were phoning helpdesks and asking for access, and getting it with ease. TCS provided this helpdesk service, shared across customers. When TCS have domain admin into environments and manage IT services, the question isn’t ‘were TCS breached?’. It’s ‘how were TCS’ customers breached and did you provide those services?’It’s not a secret in the cyber industry that there’s a lot of stories about TCS — I’ve heard names like Terrible Cyber Service in the trenches. And the memes have been around for a while.100000000000% certifiedThere’s also, you know, all the Reddit threads over the years, e.g.:https://www.reddit.com/r/cybersecurity/comments/1ll1l6c/scattered_spider_tcs_blame_avoidance/Are MSPs bad?No. Managed Service Providers aren’t bad. For small businesses in particular, a great MSP can elevate an organisation to give it technology it wouldn’t be able to deploy and manage properly due to their scale.However — when you’re talking about organisations with tens of thousands of employees, when they outsource areas like cyber risk and compliance, cyber security operation, password reset helpdesks etc — they take on a level of risk which, I think, becomes highly questionable. It’s not just risk — it’s risks that can and do materialise. That 10% budget saving doesn’t look so hot when the whole company has a heart attack.MSPs rely on commonality to scale. They use, for example, teams of people who cover vast numbers of customers. They run IT helpdesks where, based on the phone number you call, you get a customised one in that companies name — e.g. TCS run a Microsoft frontline employee IT service desk. But that person answering the phone is spinning many plates and just sees the number you called, pulls up that company process, and runs through a script with you. It’s easy to abuse, and easy for the operator to make a human error.MSPs use Standard Operating Procedures. They’ll be managing Active Directory, storage arrays, VMware clusters etc across thousands of other orgs. They write everything down. Everything is documented. If you’re an attacker, it’s easy to abuse. These things are the beating heart of a company.It’s also the case that many MSPs pay incredibly poorly, and there are examples of staff at MSPs accepting bribes. Given the level of access they have — for example being able to reset MFA tokens for administrative users — paying incredibly low wages is not only risky, it’s really dumb.Incentives are brokenCapitalism encourages cost reduction. CIOs want to, or in some cases have to, cut 10% off their budget each year. But when you get to the point where the UK government may have to use taxpayer money to pay JLR’s suppliers to not work, while JLR book record profits, we ought to ask ourselves — do the incentives here create economic risk to the UK?With approaching a billion quid in losses, you’d think insurance providers would be devastated and on high alert. No. Insurance providers are very excited by the incidents, and are currently out in full force profiting from it:M&S attacks could be the key to winning new cyber businessCyber incident response providers are equally loving it — stick any of these breaches into Google, or ransomware in general, and it is boom times. A large part of the cyber industry bottom line is, sadly, ransomware — which is why there continues to be a lobbying pushback around banning ransom payments.Who isn’t loving ransomware? The victim orgs, the school children who see their schools close in incidents so regular they don’t make the news, people who can’t use council services for months on end in ransomware incidents which barely make the news… the list is long.We’ve normalised ransomware.The list will get longer as ransomware and extortion groups move on to things like airlines, food production, warehousing and other sectors. You might think — Kevin — they already do this. They’ve barely started. They have a target rich environment. There is not a shortage of victims.Because they know large orgs have outsourced helpdesks to super low cost providers, the threat increases. Because they know orgs have outsourced key IT systems to providers who have 3940 other customers and they’re managing from flow charts and SOP documents, the risk increases.Because organisations are busy trying to automate everything and put IT at the heart of everything to reduce cost, the risk and the threat increases.When you combine cost pressures, capitalism, automation and a digital economy — there’s risks which have developed here. Many orgs are, essentially, in a race to the bottom when it comes to cost. Races to the bottom don’t end well.Data protectionCiaran Martin wrote a really good LinkedIn post which got me thinking:Agreeing with Kevin Beaumont on Jaguar Land Rover hack | Ciaran Martin posted on the topic | LinkedInI’ll quote him:So why are we still banging on about personal data in cases like this as if it’s the primary concern? It’s important. But car manufacturers don’t hold much very interesting data about their customers. The *primary* issue here is the disruption, not data loss.Part of the problem is that right now we have comprehensive legal obligations to protect data but we don’t have comprehensive legal obligations to protect services. Even with the pending new legislation in the UK, it’s only the critically important companies that will be covered.My personal view is that we need to take a long hard look at this (im)balance. Both data security and service continuity are important. But they’re quite different — it’s the organisational equivalent of suffering someone sneaking around your house copying your sensitive information, or having someone punch you in the face and break your legs. Both are unpleasant and damaging, but they’re very different experiences with very different impacts.And yet law and practice tells us to worry about the former more than the latter. Isn’t that a bit weird?He’s right. I hadn’t thought about it before. For example, the press has barely mentioned the Jaguar Land Rover incident after the first two days — save for when they admitted “some data” may be impacted. That became another news cycle. But… why? The primary impact here is the UK government may have to effective bail out the motor sector. Not that some data may have been taken.Companies are hyper focused around legalisation — rightly so, and GDPR is proof that legalisation works. However, while the focus on data protection is highly visible at most large organisations, the focus on cyber resilience is — frankly — almost non-existent.Many organisations think IT disaster recovery plans deal with ransomware. It doesn’t. The first thing ransomware groups do is delete backups and recovery systems, before they disrupt anything else. I’ve talked to business after business after business whose real plan with ransomware is simply: the insurance covers it, we’d pay. Anybody who has been in the trenches of these incidents will tell you that two things happen: your business IT has a heart attack, and paying does not equal restoration. In almost every case, even with payment, restoration takes weeks to months. The real risk — which often materialises — is somebody deliberately tries to set your head office on fire, but via IT. And in almost all cases, when that happens, the organisation doesn’t know what to do — and calls the NCSC and NCA like they’re the fire department. The fire department it is not.If you look at Marks and Spencer’s website, they have a 3 page list of executives and C-levels who control every important element of the business — but there is nobody listed for cybersecurity. That role exists… but it isn’t even seen as important enough to name on the website. The same with Jaguar Land Rover and Co-op Group.What I think the UK government should doThere’s a couple of pillars I think the UK can lead on:Bring forward the legislation around forcing companies to disclose if they’ve paid a ransom, and banning critical infrastructure from paying ransoms.Ask for plans to be prepared to ban payments of all cyber ransoms by or for UK companies. This does not mean it has to be implemented. This means there should be planning in place around how to do it, should we need to pull this lever. It’s also a signal of intent — including to boards that ‘just pay’ is a bad plan.There needs to be education for very large organisations around the level of risk they take with third party service providers of absolutely critical services — some of these services should be in house, and properly managed, and ringfenced as cost of doing business.There needs to be follow on exploration of legislation on cyber resilience around protecting key services. “BEING SOLD TO TATA”, as seen on the board above, is probably not just being written at the Co-op. It’s just that nobody outside realises it is happening.There needs to be a plan to defuse the ransomware economy, even if that means pushing back against the cyber vendor industry. Incentives must be realigned.I really do believe the UK can lead the way on this whole topic, and civil society would be better for it. I also believe we not only can, we must — the choice is going to be if we react when things have gone very wrong, or start acting now.The Elephant in The Biz: outsourcing of critical IT and cybersecurity functions risks UK economic… was originally published in DoublePulsar on Medium, where people are continuing the conversation by highlighting and responding to this story.
Analysis Summary
# Industry News: Outsourcing Critical Functions Linked to Major UK Ransomware Breaches
## Summary
Three major UK ransomware/extortion incidents at Co-op Group, Marks and Spencer (M&S), and Jaguar Land Rover (JLR) share a common factor: the outsourcing of key IT and cybersecurity functions, principally to Tata Consultancy Services (TCS). These events have resulted in estimated losses exceeding £1 billion for the affected organizations, significant disruption to supply chains, and raised serious concerns about UK economic security due to the prevailing incentive structure favoring low-cost outsourcing.
## Key Details
- Date: Incidents occurred over the recent period leading up to September 2025 (implied timeline based on reporting).
- Companies Involved: Co-op Group, Marks and Spencer, Jaguar Land Rover (Victims); Tata Consultancy Services (TCS) (Outsourced Service Provider); UK Government/Taxpayers (Downstream impact).
- Category: Market Analysis / Risk Assessment / Supply Chain Security.
## The Story
Major UK firms—Co-op, M&S, and JLR—have suffered devastating cyberattacks, collectively costing approximately £1 billion. The analysis strongly suggests that the outsourcing of core IT and security functions, including helpdesks (potential initial access points) and Security Operations Centres (SOCs), to low-cost Managed Service Providers (MSPs) like TCS, correlates with these breaches. M&S faced insurance claim issues, Co-op lacked coverage entirely, and JLR's multi-week manufacturing shutdown is forcing government consideration of supplier bailouts via furlough schemes. The author argues that this aggressive cost-cutting via outsourcing creates systemic weaknesses exploited by modern ransomware groups who often possess superior R&D budgets. Furthermore, the focus on data protection compliance (GDPR) has overshadowed the critical need for service continuity and resilience planning against disruptive attacks.
## Business Impact
### For the Companies Involved
- **Financial Blows:** Multi-hundred-million-pound losses for Co-op (£500m estimate with M&S), M&S having insurance cover exceeded, and JLR facing potential losses over £1 billion, impacting shareholder value despite prior high profits.
- **Operational Paralysis:** M&S and Co-op experienced month-long system outages; JLR faced a prolonged halt in car manufacturing that risks long-term contracts and market share.
- **Reputation Damage:** Questioning the viability of prior strategic decisions to outsource critical functions for cost savings.
### For Competitors
- Competitors may see immediate operational benefits if affected firms are preoccupied with recovery.
- However, the entire sector must now face increased scrutiny over their own outsourcing strategies, potentially leading to a defensive shift back toward in-sourcing or demanding higher security standards from existing MSPs.
### For Customers
- **Disruption:** Customers faced disruption to retail services (Co-op, M&S) and potential long-term delays in vehicle supply (JLR).
- **Taxpayer Exposure:** In the JLR case, suppliers facing bankruptcy could necessitate taxpayer-funded support (furlough schemes), effectively socializing the cost of corporate security decisions.
### For the Market
- **Increased Ransomware Economy:** These high-profile breaches provide funds and motivation for criminal groups to reinvest and scale attacks globally.
- **Cyber Insurance Volatility:** High-profile losses (like M&S’s "full tower loss") will likely drive up cyber insurance premiums or tighten coverage terms industry-wide.
- **Erosion of Trust in Outsourcing:** A significant market segment relying on low-cost offshore MSPs faces a crisis of confidence regarding inherent security risks versus 10% budget savings.
## Technical Implications
The incidents point to common vulnerabilities in MSP environments, specifically:
1. **Shared Infrastructure Abuse:** Attackers exploiting easy access via outsourced helpdesks (e.g., LAPSUS$ tactics targeting shared frontline IT services).
2. **Standardization Risks:** Over-reliance on Standard Operating Procedures (SOPs) and standardized configurations across numerous clients makes these environments predictable and easy for attackers to map and exploit.
3. **Backup Defeat:** Ransomware groups routinely delete backups and recovery systems, rendering traditional IT disaster recovery plans inadequate against modern extortion tactics.
## Strategic Analysis
- **Market Positioning:** Companies previously seen as agile due to aggressive outsourcing now face questions about their strategic risk posture. The industry is bifurcating between those who aggressively chase cost reduction and those prioritizing operational resilience.
- **Competitive Advantage:** Maintaining critical security functions in-house is emerging as a potential competitive advantage, shifting the focus from *cost* to *continuity*.
- **Challenges:** The core challenge is overcoming the capitalist incentive structure that prizes annual budget cuts, driving boards to accept questionable risk transfers via outsourcing contracts. Furthermore, the low pay within some MSPs increases risks related to insider fraud or susceptibility to bribery.
## Industry Reactions
- **Analyst Opinions:** Strong criticism of the current incentive structures, highlighting that the pursuit of small budget savings can lead to massive economic instability (e.g., taxpayer cost for supplier bailouts).
- **Expert Commentary:** The focus in regulation (e.g., GDPR) is misaligned, overemphasizing data loss risks while downplaying the existential threat of service disruption.
- **Market Response:** Cyber response providers and insurance firms are benefitting financially from the surge in these security incidents, creating an unfortunate feedback loop that normalizes ransomware activity.
## Future Outlook
- Expect increased regulatory pressure specifically targeting the operational resilience of critical services, moving beyond just data protection mandates.
- Proposals to ban or force disclosure of ransom payments will likely intensify as government involvement (potential bailouts) becomes tangible.
- A potential strategic reassessment by large corporations regarding the in-sourcing versus outsourcing of Tier 1 security responsibilities is highly probable over the next 12-24 months.
## For Security Professionals
This is a critical moment elevating the role of cyber resilience from a technical concern to a core C-suite and board imperative. Security leaders must argue forcefully that operational continuity planning (not just data recovery) is necessary, and that the control ceded to low-cost third parties over core functions must be rigorously justified against tangible macroeconomic risk. Furthermore, the lack of named cybersecurity executives on corporate websites suggests a perception problem that needs immediate correction; cybersecurity must be visibly represented at the highest levels of governance.