Production at Jaguar Land Rover (JLR) plants in the UK has begun to resume after a month-long shutdown following a cyberattack on 31 August 2025. The true extent of losses flowing from the attack are unlikely to be known for some time, but reports suggest that they will stretch well into the hundreds of millions of pounds.
The attack appears to have been carried out by a group identifying itself as ‘Scattered Lapsus$ Hunters’ in announcing the attack on its Telegram channel with over 50K subscribers. The group is thought to be linked with the ‘Scattered Spider’ group responsible for attacks earlier in the year on Co-op, Harrods, and Marks & Spencer (which reported a roughly £300M loss as a result, though as noted below, a cyber insurance policy was in place to cushion those losses). Two UK teenagers said to be members of the group involved in those attacks were charged this month by US prosecutors with extorting at least US$115M from their victims across numerous cyber attacks.
The attack on JLR appears to have involved the encryption of data in its core IT infrastructure, effectively crippling key business processes. JLR reported that it shut down its systems upon discovery of the attack, to seek to limit further damage. Contrary to what was initially reported, it now appears that some JLR data may have been taken. An increasingly common approach is known as ‘double-extortion ransomware’, where attackers first encrypt data to disable an organisation and seek to extract payment, and later (whether or not a ransom had been secured) threaten to release stolen data unless an additional payment is made.
As a result of the shutdown, JLR was reportedly losing in the range of £72M in revenue per day (and roughly £5M in profit), with 1,000 vehicles per day not being produced. The broader supply chain and its circa 200,000 workers suffered losses of their own, which in some cases had become existential; it was reported that those JLR suppliers which were heavily dependent on its orders for revenue, were forced to turn to staff layoffs within a couple of weeks of the shutdown. Once tallied, it is likely that the attack on JLR will be the most costly cyber attack in UK history.
Prior to beginning to restart its manufacturing at the end of September, JLR was preparing for potentially longer-term disruption and losses, securing a £1.5bn loan guarantee from UK Export Finance. In addition, JLR secured commercial credit facilities in the range of £2bn; clearly, at least a full month of lost production has taken a considerable toll.
It appears that JLR had been working with a broker at the time of the attack with a view to securing cyber risk coverage, but did not have a policy in place. Unlike M&S, which did have cover in place that would have lessened the impact of its losses by up to £100M, JLR will bear the totality of its losses.
Ensuring your business is prepared for a cyber attack
According to Marsh, between 60% and 70% of the UK’s largest businesses have cyber cover; a UK Government survey concluded that roughly 45% of businesses across the spectrum have cyber insurance.
Organisations will typically look to their cyber insurance policy for coverage of key losses likely to be incurred in a cyber attack, including:
- Business interruption and resultant loss of income
- Forensic investigation and data restoration
- Legal advice
- Third-party liability claims
- Regulatory reporting and (where covered) fines
- Reputation management
- Ransomware payments (in some cases, and becoming rarer).
Some businesses have been resistant to the perceived high cost of such policies, and wary of the scope of exclusions following highly publicised legal battles over claims for business interruption due to the Covid pandemic.
For cyber policies, the exclusion for ‘acts of war’ is a frequent concern. The policy wording is not uniform across the sector, and the inability in many cases to confirm the identity of the attackers might lead to disputes as to whether they are ‘state-backed’ and so potentially within the ambit of the ‘war’ exclusion. Where there is scope for dispute as to whether a cyber incident will be covered under a policy, and so at least a delayed payment by an insurer, the Government is likely to be called upon as de facto insurer for businesses which might not otherwise survive.
The attack on JLR will surely have risk departments across larger businesses (including JLR) and SMEs looking at their existing security arrangements, response planning, and insurance coverage. Smaller businesses, too, should take note, particularly those which are highly dependent on one or two large clients for their revenues; if one of those clients suffers a cyber incident, what do the contractual arrangements say about losses and does the business have a contingency plan in place?
The JLR incident is likely to add pressure on the UK Government to prioritise its Cyber Security and Resilience Bill – first introduced in July 2024, but as yet still not formally tabled in Parliament – which will update the 2018 Network and Information Systems Regulations and expand requirements for digital security across the economy.
If you have questions or concerns about cyber security, please contact Robert Peake and James Tumbridge.