Audit Phase: V-DIG (Digital Forensics — Cyber-Intelligence & Technology Supply Chain)
Audit Date: 2026-05-01
Prepared for: Internal audit record
M&S has a publicly documented strategic technology partnership with Microsoft, encompassing Microsoft Azure (cloud infrastructure), Microsoft 365 (productivity and communications), and Microsoft Copilot / Azure OpenAI Service (AI-assisted retail operations).1 This partnership sits within M&S’s digital transformation programme — referred to as “Reshape for Growth” and its successor technology modernisation agenda — disclosed across the 2023 and 2024 annual reports.1 Microsoft is a US-headquartered entity. While Microsoft operates a significant R&D presence in Israel, the M&S relationship is with the parent US entity; this does not constitute a relationship with an Israeli-origin vendor and is noted for completeness only.
M&S has publicly engaged Accenture and Wipro as technology delivery and systems integration partners, as referenced in annual reports and trade press across 2021–2024.1 No evidence has been identified that these engagements mandated or deployed Israeli-origin technology as part of M&S programmes. No public evidence has been identified of M&S engaging Israeli-headquartered integrators — such as Amdocs or Sapiens — for any major programme.
No public evidence has been identified of M&S holding verified licensing, subscription, procurement, or integration relationships with any Israeli-origin technology vendor, including but not limited to: Check Point, Wiz, SentinelOne, CyberArk, Palo Alto Networks (Israeli-founded), Claroty, Verint, or NICE Systems. No corporate filings, procurement records, press releases, or investigative reports within the evidence base confirm any such relationship.1
The April–May 2025 cyberattack disclosures generated substantial public reporting on M&S’s security posture.2345 Despite detailed reporting across multiple outlets, no Israeli-origin security vendor was identified or confirmed as part of M&S’s security environment in any of that coverage.
M&S is a private-sector company and is not subject to UK public procurement disclosure obligations. Vendor relationships below the level of named strategic partnerships are not publicly documented. The full security vendor stack in particular remains undisclosed. This constitutes the highest-priority evidence gap in this audit (see Evidence Gaps, §7).
No evidence available to assess scale of any Israeli-origin technology dependency, as no such vendor relationship has been verified.
No public evidence has been identified that M&S has deployed facial recognition, biometric identification, gait analysis, or behavioural analytics technology of Israeli origin. Vendors of Israeli origin active in this space — including Trigo, AnyVision (now Oosto), BriefCam, and Trax — have not been linked to M&S in any confirmed public source.
M&S has not appeared in ICO enforcement actions relating to facial recognition technology as of the evidence cutoff.6 M&S was not among the named retailers in the 2021–2022 ICO and consumer press investigations into live facial recognition use in UK retail environments, which specifically identified Southern Co-op’s Facewatch deployment as a subject of regulatory concern. Sources reviewed include the ICO public enforcement register6 and, via training data, published reports by Big Brother Watch and Privacy International. No M&S-specific confirmed finding emerged from any of these sources.
No public evidence has been identified of M&S using Israeli-origin predictive analytics, sentiment analysis, social media monitoring, or workforce surveillance tools.
No public evidence has been identified of Israeli-origin surveillance or analytics tools reaching M&S indirectly via managed service providers or bundled enterprise suite deployments.
M&S operates approximately 1,000 UK stores. Third-party loss prevention or CCTV analytics sub-contractors used at store level are not publicly disclosed. It cannot be confirmed or excluded whether any such sub-contractors deploy Israeli-origin technology within their own platform stacks. This remains an open evidence gap.
No public evidence has been identified that M&S operates, leases, or co-locates data centre infrastructure within Israel. M&S’s disclosed cloud strategy centres on Microsoft Azure, with data residency in UK and EU regions as described in annual report risk disclosures.1
Not applicable. Project Nimbus is a contract awarded to Google Cloud and Amazon Web Services for the provision of cloud infrastructure to the Israeli government; it is not relevant to M&S as a procurer or provider. No public evidence has been identified of M&S participation in any Israeli state-backed digital infrastructure programme.
No public evidence has been identified. M&S does not operate as a technology or cloud service provider to any state body, Israeli or otherwise.
M&S’s online grocery fulfilment operates via its joint venture with Ocado Group, a UK-origin company.1 Ocado’s own technology stack and vendor relationships — including any Israeli-origin components — represent a distinct and unresolved line of inquiry. Ocado has not been identified in the evidence base as using Israeli-origin technology, but this has not been systematically assessed. Any Israeli-origin digital exposure arising through Ocado’s infrastructure would not be directly within M&S Group plc’s disclosed technology perimeter.
No public evidence has been identified of any contracts, partnerships, or service agreements between M&S and the Israeli Ministry of Defence, the Israel Defense Forces (IDF), or Israeli intelligence agencies (including Unit 8200-linked commercial entities). M&S is a retail and food business; it does not publicly operate in the defence technology or security services sector.
No public evidence has been identified of M&S commercial technology being reported or confirmed as deployed for military, intelligence, or law enforcement surveillance applications in Israel or in the Occupied Palestinian Territories.
No public evidence has been identified. M&S does not develop, license, or sell offensive cybersecurity capability products or services. M&S was itself the victim of a significant cyberattack in April–May 2025, attributed to the Scattered Spider threat actor group using DragonForce ransomware.2345 This incident is unrelated to this audit category and is addressed under Civil Society Scrutiny & Regulatory History in the context of the resulting ICO inquiry.
M&S operates franchise retail stores in Israel via a local franchise partner. Whether this franchise arrangement involves any sharing of central IT systems, data platforms, customer data infrastructure, or digital commerce architecture with M&S Group plc is not publicly documented. This represents a potential indirect digital exposure to Israeli operations that cannot be assessed or excluded on available evidence.
No public evidence has been identified. M&S is deploying AI and machine learning capabilities internally via Microsoft Azure OpenAI Service for retail use cases including demand forecasting, personalisation, and supply chain optimisation.1 No evidence has been identified of any provision of these AI capabilities — or of underlying model access, training data, or inference services — to Israeli state, military, or security bodies.
No public evidence has been identified of M&S contributing to, commissioning, or benefiting from AI model development involving Israeli population datasets.
No public evidence has been identified. The development or deployment of autonomous lethal systems is not applicable to M&S’s business domain.
M&S’s AI deployment, as documented, operates through Microsoft’s Azure platform.1 As noted above, no Israeli-origin AI vendor relationship (e.g., with Palantir, which has significant Israeli state contracts, or Israeli-headquartered AI firms) has been verified. The undisclosed nature of the full vendor stack means Israeli-origin AI tooling embedded within managed services or sub-contracted analytics platforms cannot be ruled out as a secondary exposure.
No public evidence has been identified that M&S operates any R&D facility, engineering office, innovation lab, or corporate accelerator programme within Israel.
No public evidence has been identified. M&S’s documented acquisition and investment activity across 2019–2025 has focused on its food and fashion retail domain, most significantly the Ocado joint venture for online grocery fulfilment, which is a UK-origin company.1 No Israeli technology company acquisitions, minority investments, or corporate venture capital positions are documented in available sources. Companies House filings confirm no Israeli-registered subsidiaries or holding structures.9
No public evidence has been identified of patent portfolios, licensing agreements, or co-development arrangements between M&S and Israeli-domiciled entities or Israeli research institutions, including the Technion, Hebrew University of Jerusalem, or the Weizmann Institute of Science. Sources checked include Companies House filings9 and USPTO/EPO patent databases via training data.
M&S’s Supplier Code of Conduct and Responsible Sourcing framework, published under its Plan A sustainability programme, addresses ethical sourcing obligations for M&S’s product supply chain.710 These documents do not contain provisions specifically governing the origin or nationality of technology vendors, software suppliers, or digital infrastructure providers. No technology supply chain due diligence framework specific to vendor geopolitical exposure is publicly documented by M&S.
No public evidence has been identified of any NGO investigation, academic study, or UN report specifically addressing M&S’s technology relationships with the Israeli state, Israeli defence entities, or Israeli-origin vendors. Civil society attention directed at M&S in relation to Israel has historically centred on M&S’s commercial retail history: its founding origins, its longstanding franchise store presence in Israel, and specific food product lines — not on any technology supply chain dimension.8
M&S has been the subject of organised BDS (Boycott, Divestment, Sanctions) campaigns over an extended period.8 The publicly documented grounds for these campaigns relate to M&S’s commercial retail presence in Israel via franchise stores and its historical corporate connections; they do not reference Israeli-origin technology procurement, software licensing, or digital infrastructure relationships.8 M&S has not published a documented public response specifically addressing BDS campaign claims in any of its corporate filings reviewed.1107
The April–May 2025 cyberattack on M&S — attributed to the Scattered Spider threat actor group deploying DragonForce ransomware — caused significant operational disruption including the suspension of online orders, disruption to contactless payments in stores, and the compromise of customer personal data.2345 The incident triggered an ICO inquiry into M&S’s data protection obligations under UK GDPR.6 This regulatory exposure relates to M&S’s posture as a victim of a cyberattack and the adequacy of its data security controls; it is not connected to any Israeli-origin technology relationship.
No public evidence has been identified of any action by UK export control authorities, HMRC, the Office of Financial Sanctions Implementation (OFSI), or any equivalent body relating to M&S technology sales, services, or data transfers to Israeli state entities. No such action is recorded in Companies House filings9 or in the ICO enforcement register.6
No public evidence has been identified. No ICO, FCA, HMRC, export control, or sanctions body action relating to M&S technology sales or services to Israeli state entities is documented in available sources.
The following gaps are identified as unresolved by available evidence and would require live web research, freedom of information requests, or direct company engagement to address:
Security vendor stack (highest priority) — M&S does not publicly disclose its security vendor stack. The May 2025 cyberattack generated extensive reporting2345 but did not surface confirmed security product names in use at M&S. Any subsequent vendor remediation or replacement disclosures post-incident are unconfirmed. This gap prevents assessment of Israeli-origin cybersecurity vendor exposure with confidence.
Full IT procurement and vendor list — Absent public procurement obligations, sub-strategic vendor relationships are not publicly documented. LinkedIn job postings, Gartner peer reviews, and procurement portal signals that might partially address this gap were inaccessible due to research constraints.
Retail surveillance sub-contractors — Third-party loss prevention, CCTV analytics, and in-store technology sub-contractors at M&S’s approximately 1,000 UK stores are not publicly named. Israeli-origin technology embedded within these providers’ own stacks cannot be assessed.
Ocado joint venture technology stack — Ocado Group’s vendor relationships, including any Israeli-origin technology components used in its customer fulfilment and logistics platform, have not been systematically reviewed. Any such exposure would be indirect to M&S Group plc.
Israeli franchise digital infrastructure overlap — Whether M&S’s Israeli franchise operator shares central IT systems, data platforms, e-commerce architecture, or customer data infrastructure with M&S Group plc is not publicly documented.
BDS and NGO technology-specific audit — No confirmed evidence that any civil society organisation has conducted a technology supply chain-specific audit of M&S. The existing BDS campaign focus is on commercial retail, not technology procurement.
Post-April 2026 developments — All sources are limited to training data coverage through April 2026. Any vendor disclosures, regulatory findings, or civil society publications issued after that date are not reflected in this audit.
https://corporate.marksandspencer.com/investors/results-reports-and-presentations/annual-reports ↩↩↩↩↩↩↩↩↩↩
https://www.theguardian.com/business/2025/apr/29/marks-spencer-cyber-attack ↩↩↩↩
https://www.bleepingcomputer.com/news/security/marks-spencer-cyberattack-linked-to-scattered-spider-ransomware-gang/ ↩↩↩↩
https://news.sky.com/story/who-are-scattered-spider-the-hackers-behind-the-marks-spencer-cyber-attack-13366522 ↩↩↩↩
https://corporate.marksandspencer.com/sustainability/plan-a/supply-chain ↩↩
https://bdsmovement.net/act-now/economic-activism/targeted-companies ↩↩↩
https://find-and-update.company-information.service.gov.uk/company/00214436 ↩↩↩
