From factory shutdowns and furloughed workers to losses forecast in the hundreds of millions, the fallout from JLR’s cyber-attack exposes vulnerabilities in interconnected supply chains. What can other companies learn?
Shutterstock.com/Nick N A
Jaguar Land Rover (JLR) suffered a cyber-attack, prompting the company to shut down its systems to contain the breach on 31 August 2025. The hack is expected to result in hundreds of millions of pounds of losses for JLR – some estimates suggest up to £72 million (US$96 million) in lost revenue per day – and wreaked havoc across the company’s supply chain.
JLR factory staff were ordered to remain at home as production ground to a halt. The knock-on impacts for the smaller companies in JLR’s supply chain may have been even greater, leading to calls for the UK government to intervene. Thousands of jobs could be put at risk, either temporarily or permanently, experts warn.
One of JLR’s main suppliers, Evtec Group, announced it had reopened its factory six weeks after the attack, but says it lost £13 million (US$17 million) in revenue and furloughed 900 workers on reduced pay.
Evtec’s CEO described the disruption caused by the cyber-attack as more significant than COVID. Likewise, members of the international trade association now warn that cyber threats rival geopolitical turbulence and tariff disputes as the greatest risk to organisations.
In light of the JLR incident, Lexology PRO sets out some key steps companies should take to protect themselves and their suppliers from major cyber-attacks, in the interests of minimising disruption and ensuring a smooth transition back to regular operations.
Key lessons from the JLR cyber-attack
Social-engineering attacks are an ever-increasing risk
A group calling themselves “Scattered Lapsus$ Hunters” (SLH) claimed responsibility for the JLR attack, apparently a combination of three well-known criminal organisations, including “Scattered Spider.” Scattered Spider is also being investigated in relation to the recent ransomware attack against Marks and Spencer’s (M&S).
Both JLR and M&S were targeted using social engineering techniques, whereby criminals posed as a staff member and convinced the IT helpdesk to reset passwords and re-register multi-factor authentication devices.
These recent events underscore the devastating potential reach of social engineering cyber-attacks. Cybersecurity is no longer a matter of pure technicality – the consequences of one rogue phone call could be at least as serious as a sophisticated malware attack.
To avoid falling victim, companies should adopt a zero-trust model, requiring that every request to access the network is presumed hostile until proven otherwise with verification.
Core principles of zero-trust include explicit verification, access limitation and assumption of a breach – never trust, always verify.
Expect and prepare for attempted cyber-attacks
The number of cyber-attacks, particularly large-scale, costly ransomware attacks appear to be rising. Ransomware incidents reported by businesses globally more than doubled over the last five years, according to Verizon.
Therefore, in addition to implementing robust measures to prevent attacks, companies should also develop action plans to follow in the event of a breach, aimed at minimising disruption and ensuring compliance with regulatory obligations.
Consider investing in cyber insurance
According to reports, neither JLR nor the Co-op – another high-profile cyber-attack victim of 2025 – had cyber insurance, meaning the companies must bear responsibility for the cost of their losses.
In the case of JLR, the UK Government has committed to underwriting a £1.5 billion (US$2 billion) loan to help the carmaker support its suppliers that were affected by the production shutdown.
According to the 2025 Security Breaches Survey, just 45% of UK businesses have cyber insurance.
With the number of costly cyber-attacks increasing, it may be prudent for all companies to consider whether they could benefit from investing in insurance. Companies will need to consider factors such as the cost of comprehensive coverage, potential limitations of coverage and whether cyber-risks can be sufficiently reduced with a robust security programme.
Cyber insurance could complement organisations' technical security measures, which may not prevent breaches caused by human error.
Adopt measures to protect supply chains
The JLR incident revealed the devastating impacts a cyber attack can have on highly interrelated supply chains, particularly “outbound risks” for smaller suppliers.
Disruption resulting from a cyber-attack may prevent the affected company from fulfilling the terms of its contracts with supply chain partners, resulting in claims for damages, termination of the underlying contracts or significant financial harm for smaller companies.
To mitigate these potential risks, companies could consider including provisions in all underlying supply chain contracts that mandate cyber resilience, to ensure all parties adhere to best practices for cybersecurity.
It’s also vital that companies review and understand the contractual obligations they have committed to. Organisations may be able to rely on force majeure provisions in the event of a cyber incident, but this will depend on the precise wording of contracts.
It’s also prudent to establish clear communication and contingency protocols with key suppliers to refer to following an incident.
Consider wider workforce impacts
The JLR incident also highlighted how a major cyber incident can directly impact workers at the affected company, as well as partner organisations.
If operations or production are fully halted, as was the case for JLR, employers may need to temporarily cut back on staff hours to keep costs down and the business afloat; for example, by implementing layoffs, short-time working or furlough.
Companies should consider these potential scenarios carefully, ideally as part of incident-response planning.
In the UK, there is no automatic statutory right for employers to lay-off employees or to put them on short-time working; the ability to utilise these measures is circumstantial. For example, whether the company’s employment contracts contain specific provisions to allow short-time working, otherwise, it may be necessary to obtain employee consent.
Even if an employer is unable to provide work, employees are generally entitled to receive their normal pay and failure to honour this could result in an unlawful deduction from wages claim.
No matter what workforce measures the company intends to implement following a cyber-attack, it’s vital to communicate openly and clearly, offer support to affected employees and document any agreement or variation to the employment contract, including the reason for the changes and expected duration.