INDEX / DIRECTORY / MARKS & SPENCER / DIGITAL

Marks & Spencer DIGITAL

DIGITAL INFRASTRUCTURE AUDIT UPDATED 2026-06-13
Digital Score 0.00 /10 D Marks & Spencer - BDS-1000 208
Digital 0.00

Evidence-only forensic audit. Scoring happens downstream - see the main dossier for the composite assessment.

Digital Audit: Marks & Spencer Group plc

Audit Phase: Digital (Digital / Technology Forensics) Subject Entity: Marks & Spencer Group plc (LSE: MKS) Registered Address: Waterside House, 35 North Wharf Road, London W2 1NW, United Kingdom Audit Date: June 2026 Evidence Base: Published corporate disclosures, vendor press releases, trade and technology press, NGO research, and regulatory/biometric-policy reporting. All factual claims are drawn from publicly available sources cited in the End Notes.

Scope and directionality note: Digital assesses the digital/technology nexus to Israel. The serious case is the provision of surveillance, digital, data, or cyber technology to the Israeli state, military, or security services. The reverse direction - M&S procuring technology from Israeli-origin vendors - is a customer relationship and is recorded explicitly as such, weighted far lower than provision. No transitive guilt is imputed: an Israeli vendor’s other clients, its founders’ military backgrounds, or a parent group’s separate activities are not attributed to M&S. US-entity relationships (e.g. Microsoft) are not Israeli-origin and are noted only for completeness.

Enterprise Technology Stack & Vendor Relationships

Strategic Technology Partnerships (Direction: M&S as customer)

M&S’s principal disclosed enterprise technology relationship is with Microsoft, a US-headquartered entity. M&S and Microsoft announced a strategic partnership to apply Microsoft AI and Azure technologies across M&S’s customer experience, stores, and operations.1 M&S has publicly migrated workloads to Microsoft Azure, using Azure Synapse Analytics, Azure Data Lake Storage, and Azure Databricks within its “BEAM” cloud data platform, and has deployed Azure Machine Learning for its loyalty programme.234 Microsoft operates an R&D presence in Israel, but the M&S relationship is contracted with the US parent entity; this is not an Israeli-origin vendor relationship and is recorded for completeness only.1

M&S also runs supply-chain planning on Blue Yonder (US-origin) cloud solutions, with Tata Consultancy Services (TCS) as a systems-integration partner.56 No public evidence was identified that these engagements mandated or deployed Israeli-origin technology within M&S programmes.

Israeli-Origin Technology Vendors in the M&S Stack (Direction: M&S as customer)

Three Israeli-origin technology vendors are documented in public sources as suppliers to M&S. In every case the direction is M&S as the customer/client procuring a commercial SaaS product - not M&S providing technology to any Israeli entity.

Syte - In January 2019, M&S launched an AI-powered visual-search tool, “Style Finder,” on its mobile site, powered by the visual-AI startup Syte, founded in Tel Aviv in 2015.78 Jim Cruickshank, then M&S head of digital product and UX, was quoted on the launch.7 M&S is the retail customer; Syte is the vendor.

Global-e - In 2019 M&S selected and extended a partnership with Global-e to localise and operate its international online storefronts (currencies, languages, payment methods, duty/tax calculation).910 Global-e (Global-E Online Ltd) was founded in 2013 by Amir Schlachet, Shahar Tamari, and Nir Debbi, maintains a development centre in Petah Tikva, Israel, and listed on Nasdaq (GLBE) in 2021.1112 M&S is the customer; Global-e is the cross-border e-commerce vendor.

Namogoo - In January 2021, M&S selected Namogoo (Namogoo Technologies Ltd, founded 2014, headquartered in Herzliya, Israel, by Chemi Katz and Ohad Greenshpan) to provide “Customer Journey Hijacking” prevention on M&S.com - software that blocks unauthorised ad injections in shoppers’ browsers.131415 David Han, M&S Head of Digital Product, was quoted on the deployment.13 M&S is the customer; Namogoo is the vendor. (Namogoo was acquired by French firm AB Tasty in November 2025.)15

Each of these is a procurement (inbound) relationship. None involves M&S supplying technology, data, or services to Israel.

Israeli-Origin Cybersecurity Vendors

No public evidence was independently identified confirming that M&S holds a licensing, subscription, or integration relationship with any Israeli-origin cybersecurity vendor - including Check Point, Wiz, CyberArk, SentinelOne, Claroty, Verint, or NICE Systems. General reporting confirms these are Israeli-founded firms (several with Unit 8200-veteran founders),16 but none was linked to M&S’s environment in any independently sourced record reviewed. Extensive press coverage of the April–May 2025 cyberattack (below) named M&S’s incident-response firms as CrowdStrike, Microsoft, and Fenix24 - none of which is an Israeli-origin vendor - and did not surface any Israeli security product in M&S’s stack.1718

Procurement Transparency Constraints

M&S is a private-sector company not subject to UK public-procurement disclosure obligations. Vendor relationships below the level of named, publicly announced partnerships are not in the public domain, and the full security/IT vendor stack is undisclosed. This is the principal evidence gap in this domain.

Surveillance, Biometrics & Retail Technology

Facial Recognition - UK Domestic Policing (Project Pegasus)

M&S is named as one of approximately 14 major UK retailers participating in Project Pegasus, a UK Home Office / police initiative launched in October 2023 under which retailers share CCTV footage with police forces, who run it against the Police National Database (PND) using retrospective facial-recognition software to identify shoplifters.1920 Reporting names M&S alongside Boots, Co-op, John Lewis, and others; the broader retail-crime package included a ÂŁ55.5m government commitment, with the retailer-funded element of the data-sharing effort reported at around ÂŁ600,000 across the participating retailers.2021

Project Pegasus is a UK domestic law-enforcement programme with no Israel nexus. Primary reporting identifies no Israeli-origin facial-recognition vendor in the scheme (the matching is performed by police against the PND), and no provision of any technology, data, or service to Israel arises from M&S’s participation.1920 No public evidence was identified that M&S itself operates live facial recognition on customers in its own stores; contemporaneous UK live-FR retail deployments reported by Big Brother Watch and trade press named other retailers (e.g. Asda, Sainsbury’s, Frasers Group via Facewatch), not M&S.2223

Israeli-Origin Surveillance / Biometric Vendors

No public evidence was identified that M&S has deployed facial-recognition, biometric, gait-analysis, or in-store behavioural-analytics technology of Israeli origin (e.g. Oosto/AnyVision, BriefCam, Trigo, Trax). Israeli retail-tech firms such as Trigo and Trax are documented with other European clients (e.g. Tesco, REWE, Aldi Nord for Trigo), but no public source links any of them to M&S.24 No public evidence identified.

Predictive Analytics, Workforce Monitoring & Social-Media Surveillance

No public evidence was identified of M&S using Israeli-origin predictive-analytics, sentiment-analysis, social-media-monitoring, or workforce-surveillance tools.

Third-Party Loss Prevention & Store-Level CCTV Analytics

M&S operates a large UK store estate. Third-party loss-prevention or CCTV-analytics sub-contractors used at store level are not publicly disclosed, and it cannot be confirmed or excluded from public evidence whether any such sub-contractor deploys Israeli-origin technology within its own platform. No public evidence identified linking any to M&S.

Cloud Infrastructure, Data Residency & Sovereign Cloud Participation

Data Centre Operations in Israel

No public evidence was identified that M&S operates, leases, or co-locates data-centre infrastructure within Israel. M&S’s disclosed cloud strategy centres on Microsoft Azure (a US-entity relationship), with UK/EU data-platform operations described in its technology disclosures.123

Project Nimbus & Israeli State Cloud Infrastructure

Not applicable. Project Nimbus is the Israeli-government cloud contract awarded to Google Cloud and Amazon Web Services; M&S is neither a participant nor a sub-provider. No public evidence was identified of M&S involvement in any Israeli state-backed digital-infrastructure programme.

Data-Sovereignty or Resilience Services to Israeli State Institutions

No public evidence identified. M&S does not operate as a technology or cloud-service provider to any state body, Israeli or otherwise.

Ocado Joint Venture - Indirect Exposure

M&S’s online grocery fulfilment operates via Ocado Retail, a joint venture using technology from Ocado Group, a UK-origin company. Ocado’s own vendor stack has not been systematically assessed in public sources for Israeli-origin components; no such component was identified in this review. Any such exposure would be indirect to M&S Group plc and is recorded as an unresolved line of inquiry rather than a finding.

Defence, Intelligence & Security Sector Technology Relationships

Military & Intelligence Contracts

No public evidence was identified of any contract, partnership, or service agreement between M&S and the Israeli Ministry of Defence, the Israel Defense Forces (IDF), or Israeli intelligence agencies (including Unit 8200-linked commercial entities). M&S is a retail and food business and does not publicly operate in the defence-technology or security-services sector.

Provision of Technology / Data to the Israeli State or Military

No public evidence was identified of M&S providing surveillance technology, data, software, cloud capacity, or digital services to the Israeli state, military, or security services. This is the directionally serious Digital case, and no qualifying evidence of it was found. No public evidence identified.

Dual-Use Technology Provision

No public evidence was identified of M&S commercial technology being reported or confirmed as deployed for military, intelligence, or law-enforcement surveillance applications in Israel or the Occupied Palestinian Territories.

Offensive Cyber Capability

No public evidence identified. M&S does not develop, license, or sell offensive cyber capability. M&S was itself the victim of a major cyberattack in April–May 2025, attributed to the Scattered Spider threat-actor group deploying DragonForce ransomware; the breach (initial access dated to February 2025, encryption on 24 April 2025, disclosed 28 April 2025) disrupted online ordering and contactless payments and compromised customer personal data.171825 This incident was done to M&S and has no nexus to the provision of technology to Israel; it is recorded here as factual digital context only.

Israeli Franchise Operations - Digital Infrastructure Overlap

M&S operates franchise retail stores in Israel via a local franchise partner (see Economic). Whether this franchise involves any sharing of central IT systems, customer-data platforms, or digital-commerce architecture with M&S Group plc is not publicly documented. This is recorded as an unresolved indirect-exposure question, not a finding. No public evidence identified.

AI, Algorithmic & Autonomous Systems

AI/ML Provision to Israeli State Bodies

No public evidence identified. M&S deploys AI/ML internally (demand forecasting, personalisation, supply-chain optimisation) primarily via Microsoft Azure;14 no public evidence was identified of M&S providing AI capability, model access, training data, or inference services to any Israeli state, military, or security body.

Training Data & Model Development Involving Israeli Population Data

No public evidence was identified of M&S contributing to, commissioning, or benefiting from AI model development involving Israeli population datasets.

Autonomous Systems & Lethality

No public evidence identified. The development or deployment of autonomous lethal systems is not within M&S’s business domain.

Internal Algorithmic Deployment - Israeli-Origin AI Tooling

M&S’s documented internal AI deployment runs through Microsoft’s Azure platform (US-entity).14 Of the Israeli-origin vendors identified in this audit, Syte supplies visual-AI search as a customer-facing tool (M&S as customer).7 No public evidence was identified of any other Israeli-origin AI vendor embedded in M&S’s stack; the undisclosed full vendor list means secondary embedding within managed services cannot be positively excluded, but no such instance was identified.

Technology Ecosystem & R&D Footprint

Israeli R&D Facilities

No public evidence was identified that M&S operates any R&D facility, engineering office, innovation lab, or accelerator programme within Israel.

Acquisitions & Investments in Israeli Technology Companies

No public evidence was identified of M&S acquiring, or taking a corporate-venture stake in, any Israeli technology company. M&S’s documented investment activity centres on its food and fashion domain and its UK-origin Ocado joint venture.1 The Israeli-origin vendors identified here (Syte, Global-e, Namogoo) are commercial software suppliers, not M&S investments. No public evidence identified of an Israeli-registered M&S subsidiary or holding structure (consistent with Companies House filings reviewed in Economic).26

Patents & IP Co-Development with Israeli Institutions

No public evidence was identified of patent portfolios, licensing, or co-development arrangements between M&S and Israeli-domiciled entities or research institutions (Technion, Hebrew University, Weizmann Institute).

Supplier Code of Conduct - Technology Supply-Chain Provisions

M&S’s responsible-sourcing and supplier-conduct frameworks address ethical obligations for its product supply chain but do not, in public versions reviewed, contain provisions governing the national origin or geopolitical exposure of technology vendors, software suppliers, or digital-infrastructure providers.27 No technology-supply-chain due-diligence framework specific to vendor geopolitical exposure is publicly documented by M&S.

Civil Society Scrutiny & Regulatory History

NGO & Academic Scrutiny - Technology Supply Chain

No public evidence was identified of an NGO investigation, academic study, or UN report addressing M&S’s technology relationships with the Israeli state, Israeli defence entities, or Israeli-origin vendors. The Who Profits Research Centre database focuses on corporate involvement in the settlement economy; civil-society attention on M&S in relation to Israel has historically centred on its commercial retail history, franchise presence, and food sourcing (the Economic domain), not on technology procurement.28

BDS Campaigns

M&S has been a long-standing subject of BDS campaigning.29 The publicly documented grounds relate to M&S’s retail presence in Israel and its historical corporate connections, not to Israeli-origin technology procurement, software licensing, or digital-infrastructure provision. No public evidence was identified of a BDS or NGO campaign specifically targeting M&S’s technology relationships.

ICO - April–May 2025 Cyberattack & Customer Data Breach

The April–May 2025 cyberattack compromised M&S customer personal data and triggered data-protection scrutiny under UK GDPR.171825 This exposure concerns M&S’s posture as the victim of an attack and the adequacy of its data-security controls; it is not connected to any Israeli-origin technology relationship.

Export Controls & Sanctions Authorities

No public evidence was identified of any action by UK export-control authorities, HMRC, the Office of Financial Sanctions Implementation (OFSI), or any equivalent body relating to M&S technology sales, services, or data transfers to Israeli state entities. No public evidence identified.

Regulatory & Legal Actions - Technology Sales to Israeli State Entities

No public evidence identified of any ICO, FCA, HMRC, export-control, or sanctions-body action relating to M&S technology sales or services to Israeli state entities.

Evidence Gaps

  1. Full IT and security vendor stack (highest priority) - As a private company, M&S does not publicly disclose its sub-strategic IT and security vendor relationships. The April–May 2025 incident generated extensive reporting but surfaced only US-origin response firms (CrowdStrike, Microsoft, Fenix24); the resident security-product stack is undisclosed, so Israeli-origin cybersecurity vendor exposure cannot be positively excluded on public evidence.

  2. Retail surveillance sub-contractors - Third-party loss-prevention and CCTV-analytics sub-contractors across M&S’s UK store estate are not publicly named; Israeli-origin technology embedded within their own stacks cannot be assessed.

  3. Ocado joint-venture technology stack - Ocado Group’s vendor relationships, including any Israeli-origin components, have not been systematically reviewed; any such exposure would be indirect to M&S Group plc.

  4. Israeli franchise digital infrastructure overlap - Whether M&S’s Israeli franchise operator shares central IT systems, e-commerce architecture, or customer-data infrastructure with M&S Group plc is not publicly documented.

  5. Depth of identified vendor relationships - The Syte, Global-e, and Namogoo relationships are confirmed as procurement (M&S as customer) from press and vendor sources, but contract scope, data-flow specifics, and current status (post-2025 for Namogoo following its AB Tasty acquisition) are not fully disclosed.

End Notes

Footnotes

  1. https://corporate.marksandspencer.com/media/press-releases/microsoft-and-ms-launch-strategic-partnership-aimed-transforming-retail ↩ ↩2 ↩3 ↩4 ↩5 ↩6

  2. https://www.microsoft.com/en/customers/story/1620068383237408887-marksandspencer-azuresynapseanalytics-unitedkingdom ↩ ↩2

  3. https://www.microsoft.com/en/customers/story/844799-marks-and-spencer-retailers-azure ↩ ↩2

  4. https://www.microsoft.com/en/customers/story/1638626120995556543-marks-and-spencer-retailer-azure-machine-learning ↩ ↩2 ↩3

  5. https://blueyonder.com/customers/marks-and-spencer ↩

  6. https://www.tcs.com/what-we-do/industries/retail/case-study/marks-spencer-partnered-tcs-help-transform-their-business-operations ↩

  7. https://fashionunited.uk/news/retail/marks-and-spencer-introduces-visual-search-for-mobile/2019012141126 ↩ ↩2 ↩3

  8. https://www.retail-insight-network.com/news/syte-visual-search-navigation/ ↩

  9. https://www.chargedretail.co.uk/2019/07/04/ms-seeks-to-drive-international-ecommerce-growth-with-global-e-partnership/ ↩

  10. https://www.retailtouchpoints.com/features/news-briefs/marks-spencer-turbocharges-online-business-with-46-new-international-websites ↩

  11. https://en.globes.co.il/en/article-israeli-e-commerce-startup-global-e-raises-20m-1001123051 ↩

  12. https://www.globenewswire.com/news-release/2022/06/21/2465912/0/en/Global-e-to-Acquire-Borderfree-Cross-Border-ecommerce-Service-from-Pitney-Bowes.html ↩

  13. https://www.wfmz.com/news/pr_newswire/pr_newswire_entertainment/namogoo-selected-by-marks-spencer-to-help-optimise-the-customer-journey-on-m-s-com/article_b63c7a78-e33e-51ff-8ba2-8e9b90cae146.html ↩ ↩2

  14. https://retailtechinnovationhub.com/home/2021/1/12/marks-and-spencer-announces-namogoo-online-tie-up ↩

  15. https://en.wikipedia.org/wiki/Namogoo ↩ ↩2

  16. https://en.wikipedia.org/wiki/Check_Point ↩

  17. https://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/ ↩ ↩2 ↩3

  18. https://www.bbc.co.uk/news/articles/cy7d3zd9e4xo ↩ ↩2 ↩3

  19. https://www.computerweekly.com/news/366580438/Facial-recognition-to-play-key-role-in-UK-shoplifting-crackdown ↩ ↩2

  20. https://www.biometricupdate.com/202309/uk-police-retailers-partner-to-fight-shoplifting-with-biometrics ↩ ↩2 ↩3

  21. https://fortune.com/2023/09/12/britain-retailers-police-shoplifting-crime-john-lewis-tesco-sainsburys-co-op ↩

  22. https://bigbrotherwatch.org.uk/campaigns/stop-facial-recognition/ ↩

  23. https://www.theregister.com/2025/09/04/sainsburys_lfr/ ↩

  24. https://www.timesofisrael.com/israels-trigo-secures-100m-investment-for-shop-and-go-retail-tech/ ↩

  25. https://www.aljazeera.com/news/2025/5/2/harrods-ms-hit-by-cyberattack-what-happened-whos-behind-it ↩ ↩2

  26. https://find-and-update.company-information.service.gov.uk/company/00214436 ↩

  27. https://corporate.marksandspencer.com/sustainability ↩

  28. https://whoprofits.org/company/marks-spencer/ ↩

  29. https://bdsmovement.net/tags/marks-spencer ↩