An Indian IT company is conducting an internal investigation to determine whether it was the gateway for the cyber attack on Marks & Spencer, BBC News understands.
Tata Consultancy Services (TCS) has provided services to M&S for more than a decade.
Earlier this week, M&S said the hackers who have brought huge disruption to the retailer managed to gain access to their systems via a “third party” – a company working alongside it – rather than accessing those systems directly.
M&S and TCS have both declined to comment.
The FT, which first reported the story, cited people close to the investigation who said it was hoped the probe would be concluded by the end of the month.
It is not clear when TCS launched its investigation.
Customers have not been able to buy items on the M&S website since the end of April.
It said earlier this week that online services should see a gradual return to normal over the coming weeks, but some level of disruption would continue until July.
M&S estimates that the cyber-attack will hit this year’s profits by around £300m.
Police are focusing on a notorious group of English-speaking hackers, known as Scattered Spider, the BBC has learned.
The same group is believed to have been behind attacks on the Co-op and Harrods, but it was M&S that suffered the biggest impact.
TCS says it has over 607,000 employees across the world and is the lead sponsor of three prestigious marathons – New York, London and Sydney.
On its website, TCS said it worked with M&S on Sparks, its customer reward scheme.
In 2023, TCS and M&S won the Retail Partnership of the Year award at the Retail Systems Awards.
TCS has a portfolio of well-known clients including the Co-Op, according to its website.
There is no indication if the internal probe is also looking at the hack on the Co-Op.
TCS also counts easyjet, Nationwide and Jaguar Land Rover among its many clients.
Earlier this week, M&S chief executive Stuart Machin said: “Over the last few weeks, we have been managing a highly sophisticated and targeted cyber-attack, which has led to a limited period of disruption.”
In a media call on Wednesday, he did not respond to a question about whether the company had paid a ransom as part of the process.