TCS has denied losing its Marks & Spencer contract after a cyberattack.
The episode highlights a shifting reality for India’s IT industry, where cost advantage alone is no longer enough to stay competitive.
In two years or less, the cost advantage driving firms like TCS, Infosys, Wipro, and Cognizant could disappear.
Tata Consultancy Services (TCS), India’s largest IT Services organization, spent considerable effort last week denying that it lost a major Marks & Spencer contract due to a cyberattack. The denial may be technically accurate - M&S had apparently decided to change partners before the April breach. But TCS's UK revenues tell a different story. After double-digit growth in FY24, the company's UK business has been in decline, turning negative at 1.3% in Q1 FY26 and worsening to negative 1.4% in Q2.
The numbers matter less than what they represent. For decades, India's IT services industry has built its success on a simple value proposition: we deliver comparable quality at significantly lower cost. That worked brilliantly when the competition was expensive western firms and the primary concern was the budget. But something fundamental has changed and most of our industry hasn't acknowledged it yet.
The AI Factor That Changes Everything
India became the world's back-office because we had millions of capable developers willing to work for a fraction of western salaries. That abundant, low-cost talent was our competitive USP. But AI is eroding that moat faster than most people realize.
GitHub Copilot, ChatGPT, Claude Code, and dozens of other AI coding assistants are already writing significant portions of production code. They don't get tired, don't need training on new frameworks, and work for the cost of an API call. Yes, they make mistakes. Yes, they need human oversight. But so do junior and mid-level developers, and AI is improving exponentially faster than humans.
AI might show bias in political or religious matters. But it has zero bias when it comes to writing code. It doesn't cut corners because it's tired or rushing to meet a deadline. It doesn't make careless mistakes because it's distracted. It doesn’t need holidays or sick leave. It does not care about vacations. It applies the same rigor to every line of code, every single time. For routine development work, or, in other words, “maintenance” work, which represents a substantial portion of what Indian IT services companies do, AI is already competitive and getting better monthly.
The uncomfortable truth our industry needs to face is this: In two years, possibly less, the cost advantage that built companies like TCS, Infosys, Wipro, and Cognizant will be largely irrelevant. Clients won't choose between Indian developers at $30 per hour and American developers at $100 per hour. They'll choose between AI at $3 per hour and human developers - from anywhere - who can justify their premium by delivering something AI can't.
There's another advantage we (India) have long relied on that's quietly disappearing - our English proficiency. While countries like China produced equally talented developers, language barriers limited their ability to communicate directly with Western clients. Indian developers could jump on calls, write documentation, and interact with stakeholders in fluent English. That was worth something. But AI's linguistic capabilities have made this advantage almost irrelevant. AI translates between languages with near-perfect accuracy, understands context, and can even annotate code in whatever language the client prefers. A developer in Beijing or São Paulo can now communicate as seamlessly with a New York client as someone in Bangalore. The language USP that Indian developers commanded is evaporating just as surely as the cost advantage.
What AI Can't Deliver: Trust
This is where the recent security incidents become more than isolated embarrassments - they represent an existential threat to the Indian IT services model.
When Marks & Spencer suffered a cyberattack that cost them an estimated £300 million in lost profits, the breach came through a contractor, using social engineering techniques. Though TCS denied responsibility, saying the breach occurred "in the client's own environment," the damage to perception was done. When JLR's factories shut down for weeks after a cyberattack caused £1.9 billion in total economic damage, TCS - which manages JLR's IT infrastructure under an £800 million contract - found itself under scrutiny by the UK Parliament's Business & Trade Committee.
When Clorox filed a $380 million lawsuit against Cognizant, alleging that a hacker posed as an employee and obtained network credentials from Cognizant's helpdesk without proper verification, it reinforced a growing narrative: Indian IT services companies may be cheap, but can they be trusted with critical infrastructure and sensitive data?
HFS Research estimates that for every cyberattack on an Indian IT services client that becomes public, six more are kept quiet to avoid negative publicity. If that's accurate, we have a systemic problem, not isolated security incidents.
Across the cybersecurity landscape, eScan has observed that the conversation has evolved significantly in recent years. Organizations today do not just assess security tools based on their ability to detect threats. They want assurance that these systems can identify and stop sophisticated social engineering attempts, such as those seen in the M&S and Clorox breaches. CISOs are now focused on whether their defenses can detect when a helpdesk operator is being manipulated into providing credentials. The questions have become sharper because the impact of such incidents has become painfully real.
The Japanese Model We Should Study
When Japanese automakers entered Western markets in the 1970s, they faced skepticism about quality. "Made in Japan" meant cheap, not good. Toyota, Honda, and others responded not with marketing but with obsessive focus on quality and reliability. They implemented zero-defect tolerance. They made quality everyone's responsibility, not just the quality control department's job. They built trust through consistent, exceptional execution.
It took decades; but "Made in Japan" came to mean the opposite of what it once did - the highest quality and reliability you could buy. Japanese cars command premium prices today, not because they're cheap but because buyers trust them completely.
Indian IT services firms are at a similar inflection point. As AI eliminates our cost advantage, what's left? If the answer is "nothing distinctive," then we're in trouble. But if the answer is "absolute reliability, uncompromising security, zero security incidents, and complete trustworthiness," then we have a sustainable competitive advantage that AI can't replicate.
The Path Forward Requires Hard Choices
This means fundamentally changing how Indian IT services companies operate. It means treating every security protocol as non-negotiable, even when it slows projects down or increases costs. It means implementing verification procedures that catch social engineering attempts, even if it frustrates legitimate users. It means designing systems with security built in from the start, not bolted on afterward.
Most importantly, it means recognizing that in an AI-powered future, trust becomes more valuable than cost. Clients will have no shortage of low-cost options, but will choose partners they can fully trust with their sensitive data and most important systems..
The question facing TCS, Cognizant, Infosys, Wipro, and every other Indian IT services firm is simple: will you make this transition before clients make it for you by choosing other partners? The recent UK revenue trends suggest that the shift has already begun. The rest of the industry would do well to take note.
The views expressed in this article are solely those of the authors.
