Jaguar Land Rover Cyberattack: An Ominous Lesson for UK Businesses

A sophisticated cyberattack targeting Jaguar Land Rover (JLR), potentially the costliest security breach in British history, has ignited concerns about the UK’s preparedness to confront the escalating cyber threat landscape. The incident underscores the increasing vulnerability of critical infrastructure and major corporations to financially motivated cybercrime.

The Cyber Monitoring Centre, a leading cybersecurity watchdog, estimates the attack on the UK’s largest automaker could cost the nation a staggering £1.9 billion ($2.5 billion). This figure reflects not only the direct costs associated with the breach but also the significant operational disruption inflicted upon JLR’s global manufacturing network. Sources familiar with JLR’s internal investigation suggest the attackers leveraged a zero-day vulnerability in a widely used enterprise software platform, allowing them to gain initial access and subsequently move laterally through the network. The sophistication of the attack hints at nation-state involvement or a highly skilled, well-resourced criminal enterprise.

JLR is currently undertaking a phased restart of operations after the cyber incident forced a temporary halt to production at its factories worldwide. The company’s reliance on a just-in-time supply chain exacerbated the impact, as the production shutdown rippled through its vast network of suppliers and partners.

“The threat profile is evolving rapidly,” stated Edward Lewis, director at the Cyber Monitoring Centre, during an interview. “What we’ve seen with JLR represents a dramatic shift towards targeting economic security at both the organizational and national levels. This isn’t just another cyber headline; it’s a macro-economic event with significant consequences for the UK.” His comments speak to a broader trend where cyberattacks are increasingly viewed as economic weapons, capable of inflicting substantial damage to a nation’s GDP and competitiveness.

While the Department for Business and Trade has not directly addressed specific questions regarding the government’s level of preparedness, it acknowledges the severity of the threat and is working with industry partners to strengthen cybersecurity defenses.

JLR first reported the “cyber incident” on Sept. 2. As the UK’s largest automotive employer, responsible for roughly 33,000 domestic jobs and impacting a further 104,000 jobs across its extensive supply chain, the attack has had far reaching consequences. Initial figures from JLR indicate a substantial impact, with wholesale deliveries down nearly 25% year-on-year in the fiscal second quarter. Analysts are closely watching how quickly JLR can restore full production capacity and mitigate the long-term reputational damage.

Data released on Tuesday by the European Automobile Manufacturers’ Association (ACEA) reveals a sharp decline in Jaguar sales within the EU, down nearly 80% year-to-date through September. This figure likely reflects both the impact of the cyberattack and broader market challenges facing the luxury automotive sector.

That impact is being felt on links all along the value chain. A survey of businesses across the West Midlands region indicates that nearly eight in 10 firms were negatively impacted by the cyberattack, with 14% already making redundancies by late September, highlighting the cascading economic repercussions.

This cyberattack comes amid a period of sustained decline for the British car industry, which has struggled with Brexit-related trade barriers, semiconductor shortages, and the transition to electric vehicles. September’s production figures marked the lowest level since 1952, signaling deeper structural challenges within the sector.

JLR’s significance to the UK economy is underscored by its explicit mention in S&P’s manufacturing PMI release for September, which fell to a six-month low of 46.2, well below the 50-mark that separates expansion from contraction. The report cited the JLR plant shutdown as a key factor in the decline, demonstrating the automaker’s outsized influence on overall manufacturing activity.

The attack is reportedly attributed to a cybercriminal group known as Scattered Lapsus$ Hunters, believed to be a collaboration of three collectives, including Scattered Spider — which has been linked to previous attacks on British retailers. The sophistication and tactics employed suggest a high degree of technical expertise and potentially access to insider information.

The UK’s National Cyber Security Centre (NCSC) has warned of a concerning increase in cybercrime, with the country now facing an average of four “nationally significant” cyberattacks each week. This represents a surge of over 100% compared to previous levels, highlighting the urgent need for enhanced cybersecurity measures across both public and private sectors. The increase in attacks is attributed to a number of factors, including the proliferation of ransomware-as-a-service, the increasing sophistication of phishing campaigns, and the exploitation of vulnerabilities in legacy IT systems. This is putting business at great risks.

The NCSC, along with the National Crime Agency and government ministers, recently issued a joint letter to the leaders of every FTSE 350 company, urging them to proactively protect themselves from cyberattacks. This unprecedented move underscores the government’s growing concern and its determination to prioritize cybersecurity as a critical business imperative.

Government attention has also turned to JLR’s parent company, Tata Group, whose subsidiary Tata Motors acquired Jaguar and Land Rover from Ford in 2008. Regulators are scrutinizing the role of Tata Consulting Services (TCS), another Tata subsidiary, which provides IT services to JLR and many other UK-based companies.

JLR is among over 200 UK firms that outsource some or all of their IT management to TCS. Notably, JLR expanded its partnership with TCS in late 2023 in a deal worth over £800 million, tasking TCS with creating a “simplified and leading-edge IT infrastructure.” While outsourcing IT functions can offer cost savings and access to specialized expertise, it also introduces additional risks if not managed effectively. Companies must carefully vet their IT service providers and ensure they maintain robust cybersecurity protocols.

Other companies leveraging TCS’s services include retailers Marks and Spencer and Co-op, both of whom have also been hit by recent cyberattacks. This has led to questions about whether shared vulnerabilities within TCS’s infrastructure may have been exploited to launch these attacks. However, TCS maintains that the cyberattacks originated within the clients’ own systems and that its networks were not compromised.

Reports suggest that Marks and Spencer ended its business relationship with TCS in July after the cyber attack; however, TCS has denied these claims, stating reports concerning the size of contracts etc are misleading.

Spokespeople for both TCS and Marks & Spencer say they were beginning the bidding process for the service desk contract months before the attack.

Liam Byrne, chair of the U.K.’s Business and Trade Committee, requested information from TCS CEO Krithi Krithivasan regarding reports linking the Marks and Spencer attack to one of TCS’ employees. TCS stated there were “no indicators of compromise” within its network and that the cyberattacks took place within the clients’ own systems. Industry experts suggest a thorough investigation is warranted to determine the root cause of these attacks and identify any potential systemic vulnerabilities. In response to the request, TCS has stated that attacks had not originated from within its own networks.

According to TCS, in none of the cases referred to has the attack come from outside TCS or the established network; nevertheless, that the company’s main priority has been to assist our clientele during any periods like this. TCS has come to the conclusion vulnerabilities have not originated from within their own networks following a review of their network systems.

JLR accounts for 4% of all UK goods exports which makes its stability essential for the UK. Therefore, the government acted swiftly to try to support the company and the businesses that rely upon to function, with reports detailing that the UK mulled becoming a “buyer of last resort” for those companies, planning to sell components to JLR once it resumed production.

Although the Department for Business and Trade has been unable to verify the claims, a spokesperson indicated that they acted swiftly to provide cyber security expertise and made a loan guarantee available at a critical moment to help stabilise the the situation and that the department is working closely with JLR, the industry and major banks to keep a close eye on the supply chain.

Reports indicate that JLR did not have cyber insurance when the security breach happened, with critics questioning whether the idea of the government intervention to prevent situations such as this is sustainable going forward.

The government has said it will partially guarantee £1.5 billion in loans from commercial lenders – meaning the government will incur costs should JLR default.

The Confederation of British Metalforming, representing many businesses within JLR’s supply chain, called for further long-term support options, saying “the price of saving good companies is a lot cheaper than losing them.”

According to Lewis from the Cyber Monitoring Centre, even though “it’s still a moral hazard if public intervention removes the incentive to invest in resilience,” it’s unlikely any policy “would even have touched the sides of the financial exposure” JLR has experienced.

Lewis says that the focus should be concentrated on turning resilience into value, and that while emphasis can’t be on admonishment it should be about encouraging a collective national understanding of the scale of this threat, what resilience really means day to day.