Jaguar Land Rover cyberattack holds ominous lessons for British companies

A major cyber attack on Jaguar Land Rover is believed to be the most expensive security breach in British history, with experts questioning whether the UK is prepared to deal with rapidly growing cyber threats.

Cybersecurity organization the Cyber ​​Monitoring Center recently estimated that the hack into Britain’s largest carmaker had cost Britain a staggering £1.9 billion ($2.5 billion), a figure that represents the significant disruption caused to JLR’s production.

The company is currently in the process of gradually restarting operations after the incident forced production to halt at its factories around the world.

“The threat profile is changing,” Edward Lewis, director of the Cyber ​​Monitoring Center, told CNBC’s “Squawk Box Europe” on Friday.

“What JLR is showing now is that things have changed direction quite dramatically and they are putting more emphasis on economic security and national economic security at an organizational level,” he continued. “Please make no mistake here…this is not just a cyber news headline. This was a macroeconomic event and a very serious event for the UK.”

The Ministry of Commerce and Industry did not directly respond to CNBC’s questions about how prepared the government was for this threat.

JLR first reported being the victim of a “cyber incident” on September 2nd. It is the UK’s largest car employer, with around 33,000 employees across the country and a further 104,000 across its vast supply chain. The company’s early statistics suggest the attack hit hard, with wholesale shipments dropping nearly 25% year-over-year in the second quarter of its fiscal year.

Jaguar sales to the EU have fallen by nearly 80% year-to-date through September, according to figures released by the European Automobile Manufacturers Association (ACEA) on Tuesday.

The impact extends to links throughout the value chain. The Black Country Chamber of Commerce and Industry’s survey of businesses across the West Midlands revealed that nearly eight in 10 businesses had been negatively affected by cyber-attacks, with 14% having already made redundancies by the end of September.

The cyberattack comes as Britain’s car industry has been in decline for several years, with production in September at its lowest level since 1952, lobby group the Motor Vehicle Manufacturers and Trade Association said.

JLR is such an important company that factory closures were highlighted in S&P’s September Manufacturing PMI, which fell to a six-month low of 46.2, below the 50 mark that separates growth from contraction.

The hack itself is understood to be the work of a criminal organization calling itself the Scattered Lapsus$ Hunters. Apparently it was a collaboration between three groups, including one named Scattered Spider. The National Crime Agency has indicated it is investigating in connection with cyberattacks on British retailers Co-op and Marks and Spencer earlier this year.

Britain’s National Cyber ​​Security Center said cybercrime was on the rise, warning the country was facing four “nationally significant” cyberattacks every week. This is a record and reflects a spike of over 100% from previous levels.

In mid-October, the NCSC jointly signed a letter with the National Crime Agency and government ministers, including Chancellor of the Exchequer Rachel Reeves, addressed to the leaders of all companies in the FTSE 350, calling on them to take steps to protect themselves from cyber-attacks. The group’s message was clear. “Don’t wait for a breach, take action now.”

Government attention has also been focused on JLR’s parent company, the Tata Group, whose subsidiary Tata Motors acquired the Jaguar and Land Rover brands from Ford in 2008.

JLR is one of more than 200 UK-based companies that outsource some or all of their IT management to Tata Consulting Services, another Tata subsidiary, with JLR expanding the partnership in late 2023 to help it “build a simplified, state-of-the-art IT infrastructure” with a contract worth more than £800m.

The list also includes fellow cyberattack victims Marks & Spencer, which outsourced more than half of its IT team in 2018, and Co-op, which did the same with part of its IT department two years later.

The Telegraph reported on Sunday that Marks & Spencer ended its business relationship with TCS in July following the attack, which TCS denies. “Some of the current reports are misleading and inaccurate, including the size of the contract and the continuity of TCS’ work with Marks & Spencer,” a company spokesperson told CNBC.

Spokespeople for both TCS and Marks & Spencer confirmed to CNBC that the bidding process for the service desk contract began in January, several months before the hack.

Liam Byrne, chairman of the UK Business and Trade Commission, wrote to TCS CEO Kriti Kritivasan in late September, asking for information, after British media reported that the attack on Marks & Spencer was apparently linked to one of TCS’s employees. TCS said there was “no evidence of compromise” within its network and that the cyberattacks on all three companies occurred within its customers’ own systems.

A TCS spokesperson further elaborated on the letter to CNBC, saying, “While the attacks did not originate from TCS or our networks in any of these cases, our priority during this period was to assist our clients…TCS investigated its network systems and was able to conclude that the vulnerabilities did not originate there.”

According to JLR, it accounts for 4% of all UK product exports. That’s the important part. It’s no surprise, then, that governments have sprung into action to support the company and the businesses that rely on it. ITV reported that the UK is considering becoming the “buyer of last resort” for these companies, with plans to sell parts to JLR once production resumes.

The Ministry of Industry and Trade could not confirm the ITV report, but a government spokesperson told CNBC: “We acted quickly to provide our cybersecurity expertise and made loan guarantees available at a critical moment to help stabilize the situation. We continue to work closely with JLR, industry and major banks to closely monitor the supply chain.”

JLR reportedly did not have cyber insurance at the time of the incident, leading some to question the precedent and sustainability of governments having to intervene to prevent catastrophes. CNBC asked the automaker if this was the case, but a company spokesperson said it does not comment on commercial matters.

Coincidentally, the Government has announced that it will partially guarantee a £1.5 billion loan from a consortium of commercial lenders. This means that taxpayers will only be responsible for paying the bill if JLR defaults.

However, the British Metal Forming Federation, which represents many companies in JLR’s supply chain, called for further long-term support options, saying: “The cost of saving a good company is far lower than losing one.”

Lewis, from the Cyber ​​Monitoring Center, told CNBC that while “there is still a moral hazard if public intervention discourages investment in resilience,” policies that “touch the financial exposure side” of what JLR experienced are unlikely.

Mr Lewis said the dialogue should focus more on turning resilience into value. “The focus can’t be on warnings… it should be on promoting national understanding of the scale of this threat and what everyday resilience really means.”