Proportionality bias has led many to assume that last summer’s major cyberattack on Jaguar Land Rover, one of the jewels in the nation’s automotive crown, must have had an equally intricate cause.
The cyberattack’s impact was huge – and so it naturally triggers “it must have required mastermind-level expertise” thinking.
When the UK car manufacturer detected that its computer systems had been breached in late August 2025, the company was forced to shut down critical IT systems which forced production to grind to a shuddering halt.
Rebooting its IT systems had to be conducted in a controlled way, which took time. The impact caused by weeks and weeks of necessary delay rippled disastrously through the supply chain and caused a significant dip in the UK’s gross domestic product for that quarter
But here’s the rub: such a devastating degree of operational fallout does not require a Hollywood-level entry method.
Why big cyber incidents often start with small errors
The BBC Radio 4 documentary Currently: Fixing the Chain detailed how perpetrators likely gained access – offering clues to the “how”. For data rich retail businesses like car dealerships, examining the “how” – rather than the “why” – makes for essential reading.
Commenting on the JLR cyberattack, Lisa Ventura, founder of the Cyber Security Association, told the show: “What you see in Hollywood films – these hooded figures typing in dark rooms – it was absolutely nothing like that at all.”
While JLR has not disclosed the who, why and how of the attack, Ventura believes it started with phone calls, what security experts term vishing, or voice phishing, with attackers spending hours on employee social media accounts and learning how the business’ IT helpdesk operated. That done, they simply rang up the business’ IT helpdesk pretending to be staff who’d forgotten their passwords.
This “social engineering” trick succeeds, she says, because of how ordinary it feels in the moment. People whose job it is to help with IT problems on the other end of the phone are understandably doing their best to assist.
Israeli cyber security specialist Shaya Feedman offers more substance to this theory describing the attack that halted JLR operations as the result of serious organisational failures, arguing that the most damaging element was not simply how intruders got in, but how long they were able to manipulate critical production systems before being detected.
Speaking to AM, Feedman – a former head of information security at Porsche Digital and co-founder of technology expert Deep Specter – says his team actually warned JLR some time before it went public on falling victim to a cyberattack.
Feedman says his decision to reach out and warn the manufacturer was driven by a sense of professional responsibility rather than by any prospect of commercial benefit.
“When you see something dangerous, you want to let people know about it,” he says.
His team emailed JLR’s security email address – which European best practice rules require all companies maintain to receive intelligence – but received no response.
Had Jaguar Land Rover acted on the warnings, Feedman believes the company could have identified and isolated the source of the breach far earlier, containing it quickly and avoiding such a prolonged production shutdown.
Early warning signs: leaked credentials, cloned sites
He describes the early warning signs which his team observed – firstly, a combination of a large volume of leaked passwords linked to JLR on the “dark web”.
Feedman says nothing was explicitly advertised for sale, although he characterises the amount of leaked credentials as significantly higher than normal.
At around the same time, Feedman says his team also saw large numbers of fake employee login websites impersonating JLR, which could have been another “socially engineered” way to amass access credentials through duping unwitting employees.
“The negligence started by not detecting that,” he says, pointing to the known existence of a criminal ecosystem of “initial access brokers” who use malicious software and clone sites at scale to capture login credentials of employees of businesses which could be future ransom bait.
The ‘how’ could well have been such initial access brokers touting a package of access credentials gathered through duping unwitting employees or helpdesk contractors.
But who went on to buy and exploit the data? State-level actors intent on serious attack on a major industrial exporter or simply genius hackers showing off from their bedroom lairs?
Feedman dismisses the idea that such a major attack on a production system could be waged by ‘script kiddies’, arguing that causing harm inside a modern connected factory network requires a high level of expertise.
Even so, while best practice industry standards require the factory environment to be isolated, their systems are often old and not designed with advanced cyber security monitoring or detection capabilities.
And, once inside, the potential damage a bad actor can wreak through the very fact that non-segregated systems are deeply connected can prove catastrophic.
In his view, the attackers must have broken into the JLR system and remained there hidden for an extended period – a fact reflected in the comprehensive nature and length of the eventual shutdown. In his view, it could well have been a state-level attack on what is a major exporter.
Should your business be offering access to all areas?
Mark Rodbert, co-founder of Idax Software, is careful not to speculate about any single case beyond what is on the public record, but he makes a broader point that the attacker does not always need to break in through a technical back door if they can talk someone into opening the front one.
Idax’s focus is not the flashing red alert that something suspicious is happening right now. It is the slow, largely invisible drift of permissions that creates the conditions for a major incident.
Rodbert’s team uses pattern-finding analytics that spot anomalies without needing prior knowledge of how a business is structured
When cyber incidents hit household names, attention tends to land on the hackers’ tactics. But Rodbert argues that the more enduring lesson is about access and about people.
Many recent cases that have come to light have included an element of psychological manipulation, often described as “social engineering”. He dislikes the term. “It’s really just conning people,” he insists.
This is where access rights become the accelerant. The more people who have “just in case” permissions, the more chance an attacker has of landing on an account that can do real damage.
Locks vs alarms: prevention first, then detection
Rodbert divides controls into two camps: detective and preventative. Many well-known cyber tools, he notes, are designed to detect unusual behaviour on networks, then raise an alarm. That matters, but it can prove too late.
“Alarms are much more sexy and exciting than locks,” he says, using the simple analogy: “Locks stop the crime. Alarms tell you it has happened”.
Preventative control, in Idax’s world, is about reducing blast radius. “You have to assume the ‘bad’ guys are already inside,” Rodbert says, so the best way to reduce the potential impact is to limit what any one set of credentials can reach, and to constantly review those permissions as roles change.
The examples he gives are uncomfortably mundane. People move departments and keep access from their previous jobs. People get rights by accident. One case, he says, involved a non-executive director who ended up with business-critical access because she shared a surname and first initial with a board director.
It is the sort of mistake nobody intends, and which can sit unnoticed for months, if not years.
Dealer risk shift: customer data, finance products
Those are precisely the cracks a hacker can exploit. Rodbert describes a plausible scenario where someone rings an employee and claims to be from IT support.
The hook is simple: they’ll tell someone that they have access they should not have, and that they need to give their username and password to fix it. If the employee does not even realise they have that access, why would they question it?
For automotive retailers, the consequences are not abstract. Dealer groups hold dense pools of customer data and many now sell finance products at scale.
Rodbert frames the risk of the evolution bluntly: “A car dealership used to sell cars, now it sells a lot of financial products but it hasn’t undergone the same kind of culture shift necessarily that the banks have.”
High staff turnover is a further risk signal. “Turnover is a leading indicator of vulnerability,” he says, pointing to leavers who exit with data access rights and new joiners who may not appreciate the severity of contractual and regulatory boundaries.
Retailers worry about data theft and resale, he says, but increasingly they fear operational paralysis more.
Criminals can make more money by stopping the business than by quietly siphoning records. In that sense, a dealership’s biggest nightmare may not be a leak, but a scenario where systems fail, phones light up, and nobody knows where stock is, what orders are pending or what work can be completed.
That nightmare scenario hit AM100 retailer Arnold Clark when a cyber attack waged in late December 2023 saw the car retail giant forced to shut down internet access to protect its data.
Arnold Clark customers had their addresses, passports and national insurance numbers leaked on the dark web, leaving the group unable to complete vehicle handovers at a critically important trading period.
Arnold Clark: the cost of disruption and data exposure
The cyberattack ultimately cost the company £50 million, triggered major customer data and privacy concerns with accompanying legal challenges, and forced a complete rebuild of corporate systems. That saw its IT budget that had been around £9 million almost doubling to £16 million.
Rodbert’s advice for when the worst happens is pragmatic. Do not rush into panicked action at 3am. Have a business continuity and disaster recovery plan in place that names who to call, including specialist legal support – and practise it.
Know your stance on ransom demands in advance and make sure your backup strategy can return you to a point you trust.
One of the hardest truths, he says, is that attackers can sit inside an organisation for a long time, meaning that even an IT backup from, say, the previous month may still be infected.
Ventura at the Cyber Security Association supports that, referencing the attack on JLR: “With that level of access, she says, “the attackers had the keys to JLR’s entire kingdom”, and then sat hidden inside for weeks or months, “just watching, learning and waiting for the right time to strike.”
Eddie Hawthorne, the former Arnold Clark chief who had to manage the impact of the 2023 attack has also expressed the shock at discovering that the retailer’s cyber defences had actually been breached some time before the business became aware of suspicious activity.
Speaking at AM Live the year after the attack, he said that the attackers had been hiding “in his attic” for months, simply waiting for the business to be vulnerable at a busy trading period – and therefore at its most vulnerable point.
Little surprise then that in mid-January after securing is IT networks, the dealership group was targeted once again by the ransomware gang. “This was a gift that kept on giving,” Hawthorne told FutureScot last year. “I got a little email from the dark web telling me that they’d stolen some data, and they were going to release it.”
While Arnold Clark had no way of knowing what or how much had been taken, the business had by then re-engineered its security and, on advice, ignored the demands for payment from what was suspected to be a criminal group with Russian links.
Beyond IT: connected systems, firmware risk
Ignoring the ransom may have been the right call, but it does not remove the underlying exposure. Increasingly, the most serious risk lies not in stolen data, but in compromised code, firmware and the processes used to deploy them.
Feedman at Deep Specter highlights one particular risk as especially concerning in the manufacturing environment – the process of flashing software which overwrites existing firmware or data. He fears that if that process is manipulated, the potential damage would have “no limits” especially if applied to over-the-air updates with which many new cars are equipped.
What worries him most is a scenario where a malicious actor could affect vehicle safety at scale – and generate huge reputational damage as a result. “I’m afraid that someone, somewhere has a red button and when they push it, 100,000 cars somewhere in the world will stop functioning safely,” he says, offering braking as an example of a safety-critical function that could be targeted.
That is arguably the worst scenario, one that chilling implications.
But on the ground, dealer groups are balancing data security with operational reality: the need to keep customers moving through the showroom and workshop.
For Hawthorne at Arnold Clark the impact was profound: “Forcing everything offline had an immediate impact on the business: it meant no phones, no emails, no access to vital systems, and no list of people who you would actually phone, because everything had been computerised,” he says.
“It was a big game of giant Whack-a-Mole,” he recalls. “It was man versus machine and by 2:47 am we were losing control of our system: we were about to be locked out.”
While that tension is constant, Rodbert at Idax Software argues that maintaining a disciplined access governance posture is where the battle can be won quietly, before the alarms ever sound and uncomfortable decisions have to be taken at at 2:47 am.