The dramatic impact of a major cyber incident is usually measured in the losses of the primary target. But when an organisation the size of Jaguar Land Rover (JLR) is brought offline, the true victims are often the thousands of smaller businesses in its orbit.

On the evening of 1st September 2025, JLR’s IT networks were hit by a severe cyber-attack. It took more than six weeks for manufacturing to resume as the incident kept the bulk of the business offline along with production lines. For the first approximate ten days, the disruption meant that the company was not even able to process new car orders.

Planned for maximum impact

The timing of the attack was designed to inflict maximum commercial pain. The 1st of September is the day new car registration numbers are released, making it one of the busiest and most critical trading days of the year for the automotive industry. It is believed the groundwork for this devastating payload may have been laid much earlier, perhaps as far back as March, when JLR reportedly suffered a data breach.

This delayed approach, where criminals establish a foothold and wait for the most damaging moment to activate their attack, highlights a sophisticated threat landscape.

Responsibility for the attack has been claimed by the ‘Scattered Lapsus$ Hunters’, a loose collective reportedly comprising three other groups: Shiny Hunters, Scattered Spider, and Lapsus$.

The crisis beyond

The ramifications for JLR are undoubtedly severe, especially amid unconfirmed rumours that the company may not have had comprehensive cyber security insurance in place. However, JLR is owned by the Indian TATA Group, a conglomerate with deep pockets and the likely ability to survive the outage.

The 30,000 people employed directly by JLR are facing uncertainty, but the greater and more immediate crisis lies with the reported 100,000 people employed across JLR’s extensive supply chain.

These are the significantly smaller UK-based businesses, the component manufacturers, the logistics firms, the service providers, that rely on a steady flow of work from their major customer. Unlike JLR, they may not be able to fall back on a wealthy parent company to plug the holes in their accounts created by weeks of no work.

Limited production has thankfully restarted at some JLR plants, a hopeful sign that a return to full capacity is on the horizon. But this incident must serve as a critical learning moment.

Lessons for every UK business

The JLR attack is a textbook example of how a single cyber-incident can create a financial shockwave. Here are the crucial takeaways:

1. Prioritise supply chain cyber resilience: Your own security is only as strong as the weakest link in your supply chain (or, in this case, the resilience of your biggest customer). Assess the cyber security of all critical partners. Can they recover quickly? Do they have robust business continuity plans?
2. Focus on detection, not just prevention: The long incubation period of this attack is highly concerning. It shows that perimeter defence is not enough. UK businesses must invest in advanced detection and response (MDR) services that can spot a criminal’s presence before they deploy the final payload. A criminal dwelling in your system for months is a failure of detection, not just prevention.
3. Stress-test your financial continuity: The primary risk for smaller suppliers is cash flow interruption. If your biggest client goes offline for six weeks, how long can your business survive without that revenue? Implement and regularly test a financial contingency plan to protect against prolonged payment delays.
4. Cyber insurance is non-negotiable: For SMEs, comprehensive cyber insurance is a vital safety net that can cover the costs of recovery, legal fees, and, crucially, business interruption losses when an incident hits you or your major partner.
5. Robust backups and BCP are king: Could your business operate even if your primary IT system was completely unavailable? A modern Business Continuity Plan (BCP), combined with isolated backups, is essential to ensure that a major incident doesn’t make your business non-operational. Recent advice from the NCSC is to hold a paper copy of your BCP to ensure that you can invoke it if the worst were to happen.

We can only hope that JLR’s return to full production ramps up, allowing the ‘little guys’ who make up the backbone of the UK’s manufacturing industry to get back to work and make it through this incident. But the time for every UK business to shore up their defences is now.