In September 2025, Jaguar Land Rover (JLR) suffered one of the most disruptive cyber incidents in UK history. The attack forced factory shutdowns across four countries, halted deliveries and resulted in losses estimated at £1.9 billion. This eye-watering cost made it the most economically damaging cyber event to ever hit the UK, according to the Cyber Monitoring Centre (CMC).

The JLR incident is a prime example of how a cyberattack can hit businesses’ bottom line and impact their reputation going forward. What lessons can be learned for UK CISOs looking to shore up their cyber defences?

Well-Trodden Attack Path

One of the worst things about the JLR incident was the simplicity of the attack itself – which was apparently perpetrated by Scattered Lapsus$ Hunters – an offshoot of the infamous groups Scattered Spider, Lapsus$ and ShinyHunters.

Known for using vishing calls, SMS spoofing, and fake IT support messages to obtain employee credentials, the groups all specialise in social engineering, rather than complex technical exploits.

Taking this into account, the JLR incident appears to be the result of an “entirely predictable and well-trodden attack path,” says Mark Taylor, CTO and founder of Chorus. “A combined set of hacker groups worked together to gain access to credentials, which were then used to laterally move through the network, exploiting further unpatched flaws on existing JLR internal systems, to ultimately gain enough access to cause significant disruption.“

The JLR incident appears to be a “strikingly similar attack” to the one that hit M&S earlier in the year, says Taylor. “The hackers used social engineering techniques to speak to IT support teams, convinced them they were internal JLR employees and gained access to their credentials.”

Several “critical security fundamentals” broke down simultaneously to enable the attack, says Axel Maisonneuve, technical education contributor at BSV Association. To start with, social engineering was underestimated, he says. “The use of voice phishing and SMS spoofing bypassed traditional email filters entirely. Many organisations still lack processes to verify identity during IT support calls – a basic gap that groups such as Lapsus$ and Scattered Spider repeatedly exploit.”

Prolonged Access to Data 

The attackers took advantage of this human entry point to access JLR’s internal systems, move laterally through the network, and exfiltrate around 350GB of internal data, including source code and operational files. “That volume of data suggests prolonged undetected access, something that effective network monitoring tools should have flagged,” according to Maisonneuve.

Interestingly, this all came just months after an earlier breach linked to the Hellcat ransomware group, which exposed internal documents and old credentials. “It appears some of those compromised credentials may have remained active, providing attackers with an open door,” says Maisonneuve.

As the attackers moved slowly, they were able to gradually gain access to systems and escalate access privileges without incurring suspicion. JLR’s systems would have treated the attackers like any other employee with the same access privileges, says Kirsten Bay, CEO of cyber-insurance provider, Cysurance. “This calls into question the identity and access management (IAM) processes and technical controls that were in place.”

IT and OT Issues 

Another issue making JLR more vulnerable was the increasingly blurred line between IT and operational technology (OT), which widens the attack surface.

Automotive assembly lines are powered by OT systems, which interface with “almost every aspect” of factory floor operations, says Jon Connet, chief product officer at Aeris. “Workstations and terminals and the cars are connected via fixed line, Wi-Fi and cellular connections. The cars themselves are installed with cellular modems. The robots assembling the cars potentially have fixed or cellular connections back to the automation vendor.”

This mix of technologies and connections is creating “an ever-expanding attack surface,” he says. “It’s like a balloon that is getting bigger, until someone pops it with a pin.”

Poor network segmentation between IT and OT was a problem for JLR. Once attackers accessed IT systems, JLR was forced to shut down connected manufacturing operations as a precaution, says Maisonneuve.

Escalating Costs 

Most of the £1.9 billion estimated cost derives from lost manufacturing output at JLR and its suppliers during the multi-week shutdown. “The disruption to 5,000 downstream organisations magnified systemic loss beyond the core target,” says Dray Agha, senior manager, security operations centre  EMEA at Huntress.

The accompanying costs of incident response, system rebuild, delayed orders, contractual penalties, reputational damage and financial support including government guarantees all added to the total,  according to Agha.

Lessons for UK CISOs 

One of the criticisms of JLR was the firm’s lack of cyber insurance.  “The cruel irony here is that the company was in the middle of negotiating a policy when the attack happened,” Bay says.

Yet CEO of cyber insurance broker and consultancy Assured, Henry Green, argues that if he were the person responsible for JLR’s risk, he wouldn’t have invested in cyber insurance either, according to a recent blog. “Why the hell would they? The policy they were reportedly offered was for £30m cover (at the cost of £850k). They would have known that in an incident like this, they’d stand to lose £50 million a week. That cyber insurance policy wouldn’t have touched the sides.”

It shows that cyber insurance isn’t always able to provide enough protection, but firms also need to be aware of the risks they face. Taylor points to a lack of risk acknowledgement in many companies. “Even today as we head towards 2026, some companies continue to believe it won’t happen to them. The underlying mechanisms to mitigate the risk of these kinds of cyber-attacks have been very well understood for many years.”

With this in mind, he recommends CISOs follow the zero-trust model combined with an effective security operations centre.

Learning from the JLR incident, companies should work to separate IT and OT environments, says Maisonneuve. “Smart manufacturing demands efficiency, but connectivity should never mean exposure. Use strict segmentation, jump hosts and access gateways between corporate systems and industrial networks. It limits the blast radius when something goes wrong.”

It's also important to ensure employees are aware of social engineering tactics used today. Training shouldn’t just cover phishing emails, says Maisonneuve. “Employees and contractors must understand that a convincing phone call or SMS can be just as dangerous. Adopt call-back verification policies: No password resets or multi-factor authentication changes should ever happen during an inbound call.”

Kate O'Flaherty Cybersecurity and privacy journalist