JLR attack is the most expensive security breach in UK history

Attack is estimated to have cost £1.9bn so far and affected over 5000 organisations

The Cyber Monitoring Centre (CMC) has categorised the recent malicious cyber incident affecting Jaguar Land Rover (JLR), as a Category 3 systemic event on the five-point Cyber Monitoring Centre Scale. The estimated cost will not be borne solely by JLR, but also by the 5000 organisations which make up its supply chain.

The Cyber Monitoring Centre (CMC) launched its cyber event classification system in February. It’s a world-first initiative and was designed to try to bring transparency to the murky world of cyberattacks.

The centre uses a wide range of publicly available data and input from industry experts to assess cyber incidents which have a potential impact of more than £100 million against its framework and categorise them on an easy-to-understand scale of one to five.

Commenting on the report Ciaran Martin, Chair of the CMC’s Technical Committee, said:

“With a cost of nearly £2 billion, this incident looks to have been by some distance, the single most financially damaging cyber event ever to hit the UK. That should make us all pause and think, and then – as the National Cyber Security Centre said so forcefully last week – it’s time to act. Every organisation needs to identify the networks that matter to them, and how to protect them better, and then plan for how they’d cope if the network gets disrupted.”

JLR is still recovering from this attack and was given a £1.5bn loan guarantee by the UK government last month, when it became clear that the impact of the attack would likely inflict lasting damage on the economy of the West Midlands, where the majority of JLRs supply chain is located.

Final cost likely to increase

The full statement from the CMC explains that the final cost of the attack is likely to be higher – the assessment can only be based on what is so far known about the attack. JLR has not commented on whether the cyberattack was ransomware which can potentially be far more damaging to an operational network than a straight data theft or extortion attack.

The CMC analysis does not include any assumptions about the cost of ransom payments or any losses arising from the cost of data breaches.

If operational technology has been damaged to the extent that production is not restored to pre-event levels on the timetable that JLR has indicated, the tally will continue to increase. JLR began a phased restart of production in early October and says it will continue this phased approach over the coming months.

The CMC’s current estimate reflects the substantial disruption to JLR’s manufacturing, to its multi-tier manufacturing supply chain, and to downstream organisations including dealerships.

Will Mayes, Chief Executive of the Cyber Monitoring Centre commented on the reach of this attack, and how it illustrated the fragility of complex manufacturing supply chains.

“What this incident demonstrates is how a cyber attack on a single major manufacturer can cascade through thousands of businesses, disrupting suppliers, transport, and local economies, and triggering billions in losses across the UK economy. Our role at the CMC is to provide the independent, evidence-based analysis that boards, insurers, and policymakers need to make informed decisions about resilience and risk.”

Computing says:

The August attack on JLR dominated mainstream news, but the company was also compromised in March this year – which was not widely reported. Those attackers exploited Atlassian JIRA credentials that had been stolen from employees using infostealer malware over several years and used them to steal 350GB of JLR data.

The company did not comment publicly on that attack, and they have not indicated that the attacks are linked. Nonetheless, it doesn’t require a huge leap of imagination to consider that they might be. Harvested credentials can lurk on the dark web for some time, just waiting for the right criminal to exploit them. Strong security practice would update those credentials regularly to limit the reach of such attacks.

If you’re a current or aspiring cybersecurity leader check out the Computing Security Leaders Summit on March 26th 2026. Packed with content including business continuity planning, bridging the cyber skills gap and cloud resilience, its promises to be full of insight and practical advice to take away. Register here for your free place.