Jaguar Land Rover cyberattack holds ominous lesson for British firms

A major cyberattack on Jaguar Land Rover, considered the most expensive security breach in British history, has prompted experts to question whether the U.K. is equipped to handle a rapidly growing cyber threat.

The Cyber Monitoring Centre, a cybersecurity body, recently estimated the hack of Britain’s biggest automaker to have cost the U.K. a whopping £1.9 billion ($2.5 billion), a figure that represents the substantial disruption caused to JLR’s manufacturing.

The company is currently in the midst of a phased restart to operations after the incident forced it to halt production at factories around the world.

“The threat profile is changing,” Edward Lewis, director at the Cyber Monitoring Centre, told CNBC’s “Squawk Box Europe” on Friday.

“What JLR now shows is that things have pivoted quite dramatically, much more towards economic security at an organizational level and national economic security,” he continued. “Let’s make no mistake here … this isn’t just another cyber headline. This was a macro economic event, and a very serious one for the U.K.”

The Department for Business and Trade did not directly respond to a CNBC question on how prepared the government is for this threat.

JLR first reported it had been victim of a “cyber incident” on Sept. 2. As the U.K.’s largest automotive employer, with nearly 33,000 people employees nationwide — and a further 104,000 working across its vast supply chain. Early figures from the company suggest the attack dealt a heavy blow, with wholesale deliveries down nearly 25% on the year in its fiscal second quarter.

On Tuesday, figures from the European Automobile Manufacturers’ Association, or ACEA, showed Jaguar sales to the EU by September year-to-date were down nearly 80% on an annual basis.

That impact is being felt on links all along the value chain. In a survey of businesses across the West Midlands region, the Black Country Chamber of Commerce found that nearly eight in 10 firms were negatively impacted by the cyberattack, with 14% already making redundancies by late September.

The cyberattack also comes amid years of decline for Britain’s car industry, with September’s production figure coming in at the lowest level since 1952, according to the lobby group Society of Motor Manufacturers and Traders.

JLR is such a pivotal player that its plant shutdown was singled out in S&P’s manufacturing PMI release for September, which fell to a six-month low of 46.2, below the 50-mark that separates growth from contraction.

The hack itself is understood to be the work of a criminal gang calling itself Scattered Lapsus$ Hunters: apparently a collaboration between three collectives, including one named Scattered Spider — which the National Crime Agency indicated it was investigating in connection with the cyberattack on British retailers Co-op and Marks and Spencer earlier this year.

The U.K.’s National Cyber Security Centre says cybercrime is on the rise, warning the country faces four “nationally significant” cyberattacks every week. That’s a record, and reflects a surge of more than 100% on previous levels.

In mid-October, the NCSC co-signed a letter with the National Crime Agency and government ministers —including Finance Minister Rachel Reeves — to the leaders of every company in the FTSE 350, calling on businesses to take steps toward protecting themselves from cyberattacks. The group’s message was clear: “Don’t wait for the breach, act now.”

Government attention has also turned to JLR’s parent company, Tata Group, whose subsidiary Tata Motors bought the Jaguar and Land Rover brands from Ford in 2008.

JLR is one of the more than 200 U.K.-based companies which outsources some or all of their IT management to another Tata subsidiary: Tata Consulting Services, with which JLR expanded its partnership in late 2023 to help it “create a simplified and leading-edge IT infrastructure,” in a deal worth more than £800 million.

Other companies in that roster include fellow cyberattack victims Marks and Spencer — which outsourced more than half of its IT team in 2018 — and the Co-op, which did the same for some of its IT roles two years later.

The Telegraph reported on Sunday that Marks and Spencer ended its business relationship with TCS in July in the aftermath of the attack, which TCS denies. “Some current reports are misleading,” a spokesperson for the firm told CNBC, “with inaccuracies including the size of the contract and the continuity of TCS’ work for Marks & Spencer.”

Spokespeople for both TCS and Marks & Spencer confirmed to CNBC that the bidding process for the service desk contract began in January, months before the hack.

Liam Byrne, chair of the U.K.’s Business and Trade Committee, wrote to TCS CEO Krithi Krithivasan in late September asking for information amid British media reporting that the attack on Marks and Spencer was apparently linked to one of TCS’ employees. TCS said there were “no indicators of compromise” within its network — and that the cyberattacks at all three firms took place within those clients’ own systems.

A TCS spokesperson expanded on this letter to CNBC, saying “while in none of these cases did the attack originate from TCS or our networks, our priority has been to help our clients during this period … TCS has reviewed our own networks systems and been able to conclude that the vulnerabilities have not originated from there.”

JLR says it makes up 4% of all U.K. goods exports. That’s a significant chunk. Therefore, it’s unsurprising that the government scrambled into action to try and support the company and the firms that rely on it to function — with ITV reporting that the U.K. mulled becoming a “buyer of last resort” for those companies, planning to sell components on to JLR once it resumed production.

The Department for Business and Trade wasn’t able to confirm the ITV report, but a government spokesperson told CNBC: “We acted swiftly to provide cyber security expertise and made a loan guarantee available at a critical moment to help stabilise the the situation. We continue to work closely with JLR, the industry and major banks to keep a close eye on the supply chain.”

JLR reportedly didn’t have cyber insurance at the time of the incident, leading some to question the precedent set by — and sustainability of — the government having to step in to prevent catastrophe. CNBC asked the automaker if this was the case, to which a a spokesperson for the firm said it does not comment on commercial matters.

As it happened, the government has said it will partially guarantee £1.5 billion in loans from a consortium of commercial lenders — meaning the taxpayer will only foot the bill if JLR defaults.

But, the Confederation of British Metalforming, which represents many businesses within JLR’s supply chain, called for further long-term support options — saying “the price of saving good companies is a lot cheaper than losing them.”

The Cyber Monitoring Centre’s Lewis told CNBC that while it’s “still a moral hazard if public intervention removes the incentive to invest in resilience,” it’s unlikely any policy “would even have touched the sides of the financial exposure” JLR has experienced.

Lewis said the conversation should focus more on turning resilience into value. “Emphasis can’t be on admonishment … it should be about encouraging a collective national understanding of the scale of this threat, what resilience really means day to day.”