The relationship between data breach and the supply chain is often underestimated despite the fact that, for more than a decade, best practices have established useful methods and approaches to regulate it. Recently, there was a rather impressive data breach that put the issue back into the centre of the debate.
The Jaguar – Land Rover case
In early September, the car manufacturer Jaguar – Land Rover was hit by a very pervasive data breach. Apart from the ‘canonical’ problems that are now known to those interested in the industry, the JLR case is important because since the attack, car production has stopped and has not restarted. In a Wired article, published on 28 September, author Matt Burgess writes:
While the company’s plants normally produce around a thousand vehicles a day, thousands of employees are now at home waiting for the company to solve a serious computer attack.
The case is so impactful that the damage resulting from this attack amounts to around 58 million euros per week (around £50 million). This is a recklessly high figure, especially in the light of the secondary damage, with unions and workers currently out of work in the front row. The attack has been deemed‘unprecedented‘ by Jamie MacColl a researcher in the technology and computer security research group at the Royal United Services Institute (R.U.S.I.) and has alerted the British governmental and institutional apparatus. However, this attack is also particularly dangerous for another reason: it is not only JLR that has been hit, but the entire supply chain and thus also suppliers, who, as a result, have suffered varying degrees of damage. The attack, apparently claimed by Scattered Lapsus$ Hunters, therefore resulted in a disruption of the critical dependency process on suppliers. Below are all releases in chronological order with original text and translation.
| Date | Communiqué | Translation |
|---|---|---|
| 29/09/2025 | A spokesperson for JLR said: “As the controlled, phased restart of our operations continues, we are taking further steps towards our recovery and the return to manufacture of our world-class vehicles. Today we are informing colleagues, retailers and suppliers that some sections of our manufacturing operations will resume in the coming days. We continue to work around the clock alongside cybersecurity specialists, the UK Government’s NCSC and law enforcement to ensure our restart is done in a safe and secure manner. We would like to thank everyone connected with JLR for their continued patience, understanding and support. We know there is much more to do but the foundational work of our recovery is firmly underway, and we will continue to provide updates as we progress. | A JLR spokesperson said: “As the controlled and gradual restart of our operations continues, we are taking further steps towards our recovery and return to production of our world-class vehicles. Today we inform colleagues, dealers and suppliers that sections of our manufacturing operations will resume in the coming days. We continue to work around the clock with cyber security specialists, the UK government’s NCSC and law enforcement agencies to ensure that our restart is safe and secure. We would like to thank everyone connected to JLR for their continued patience, understanding and support. We know there is still much to be done, but the fundamental work of our recovery is firmly underway and we will continue to provide updates as we progress.” |
| 25/09/2025 | As part of the controlled, phased restart of our operations, today we have informed colleagues, suppliers and retail partners that sections of our digital estate are now up and running. The foundational work of our recovery programme is firmly underway. We have significantly increased IT processing capacity for invoicing. We are now working to clear the backlog of payments to our suppliers as quickly as we can.Our Global Parts Logistics Centre, which supplies the parts distribution centres for our retail partners in the UK and around the world, is now returning to full operations.This will enable our retail partners to continue to service our clients’ vehicles and keep our customers mobile.The financial system we use to process the wholesales of vehicles has been brought back online and we are able to sell and register vehicles for our clients faster, delivering important cash flow.These are important initial steps as our dedicated teams work around the clock alongside cybersecurity specialists, the UK Government’s NCSC and law enforcement to ensure we restart in a safe and secure manner. Our focus remains on supporting our customers, suppliers, colleagues and our retailers. We fully recognise this is a difficult time for all connected with JLR and we thank everyone for their continued support and patience. | As part of the controlled and gradual restart of our operations, we informed colleagues, suppliers and business partners today that sections of our digital assets are now operational. The core work of our recovery programme is firmly underway. We have significantly increased IT processing capacity for billing. We are now working to clear the backlog of payments to our suppliers as quickly as possible. Our Global Parts Logistics Centre, which provides parts distribution centres for our trading partners in the UK and around the world, is now back to full capacity. This will allow our trading partners to continue to service our customers’ vehicles and keep our customers mobile. The financial system that we use to process the wholesale of vehicles has been brought back online and we are able to sell and register vehicles for our customers faster, ensuring significant cash flow. These are important initial steps while our dedicated teams work around the clock with cyber security specialists, the UK government’s NCSC and law enforcement to ensure a safe and secure reboot. Our focus remains on supporting our customers, suppliers, colleagues and our resellers. We fully recognise that this is a difficult time for everyone connected to JLR and thank everyone for their continued support and patience. |
| 23/09/2025 | Today we have informed colleagues, suppliers and partners that we have extended the current pause in production until Wednesday 1 October 2025, following the cyber incident. We have made this decision to give clarity for the coming week as we build the timeline for the phased restart of our operations and continue our investigation. Our teams continue to work around the clock alongside cybersecurity specialists, the NCSC and law enforcement to ensure we restart in a safe and secure manner. Our focus remains on supporting our customers, suppliers, colleagues, and our retailers, who remain open. We fully recognise this is a difficult time for all connected with JLR and we thank everyone for their continued support and patience. | Today we informed colleagues, suppliers and partners that we have extended the current suspension of production until Wednesday, 1 October 2025, following the IT incident. We have taken this decision to provide clarity for the coming week as we build the timeline for the phased restart of our operations and continue our investigation. Our teams continue to work around the clock with cyber security specialists, the NCSC and law enforcement to ensure a safe and secure restart. Our focus remains on supporting our customers, suppliers, colleagues and our resellers. We fully recognise that this is a difficult time for everyone connected to JLR and thank everyone for their continued support and patience. |
| 16/09/2025 | Today we have informed colleagues, suppliers and partners that we have extended the current pause in our production until Wednesday 24th September 2025. We have taken this decision as our forensic investigation of the cyber incident continues, and as we consider the different stages of the controlled restart of our global operations, which will take time. We are very sorry for the continued disruption this incident is causing and we will continue to update as the investigation progresses. | Today we informed colleagues, suppliers and partners that we have extended our current suspension of production until Wednesday, 24 September 2025. We have made this decision as our forensic investigation into the cyber incident continues, and as we consider the various steps of the controlled restart of our global operations, which will take time. We are very sorry for the continued disruption this incident is causing and will continue to update as the investigation progresses. |
| 10/09/2025 | Since we became aware of the cyber incident, we have been working around the clock, alongside third-party cybersecurity specialists, to restart our global applications in a controlled and safe manner. As a result of our ongoing investigation, we now believe that some data has been affected and we are informing the relevant regulators. Our forensic investigation continues at pace and we will contact anyone as appropriate if we find that their data has been impacted. We are very sorry for the continued disruption this incident is causing and we will continue to update as the investigation progresses. | Since we became aware of the cyber incident, we have been working around the clock, together with third-party IT security specialists, to restart our global applications in a controlled and secure manner. As a result of our ongoing investigation, we now believe that some data has been compromised and are informing the relevant regulatory authorities. Our forensic investigation continues apace and we will contact anyone appropriate if we find that their data has been affected. We are very sorry for the continued disruption caused by this incident and will continue to provide updates as the investigation progresses. |
| 06/09/2025 | We continue to work around the clock to restart our global applications in a controlled and safe manner following the recent cyber incident. We are working with third-party cybersecurity specialists and alongside law enforcement. We want to thank all our customers, partners, suppliers and colleagues for their patience and support. We are very sorry for the disruption this incident has caused. Our retail partners remain open and we will continue to provide further updates. | We continue to work around the clock to restart our global applications in a controlled and secure manner following the recent cyber incident. We are collaborating with third-party IT security specialists and law enforcement agencies. We would like to thank all our customers, partners, suppliers and colleagues for their patience and support. We are very sorry for the interruption caused by this incident. Our retail partners remain open and we will continue to provide further updates. |
| 02/09/2025 | JLR has been impacted by a cyber incident. We took immediate action to mitigate its impact by proactively shutting down our systems. We are now working at pace to restart our global applications in a controlled manner. At this stage there is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted. | JLR was hit by an IT incident. We acted immediately to mitigate the impact by proactively shutting down our systems. We are working quickly to restart our global applications in a controlled manner. At this stage there is no evidence that any customer data has been stolen, but our retail and manufacturing operations have been severely disrupted. |
The costs that Jaguar Land Rover is incurring are high. An initial EUR 1.7 billion loan (with a UK guarantee) is needed to cope with the consequences of the hacker attack, while a second EUR 2.3 billion loan is being used to ease the financial pressure on the company. It is good to keep in mind that if JLR is coming out of its most difficult period, Renauld and Dacia are in the process of dealing with a new attack that will hopefully not be of equal impact.
Critical dependence
Critical dependency occurs when the entire production chain or a key part of it is significantly dependent on a single supplier (or a small group of suppliers) for a component, material or service without which vehicle assembly or delivery cannot proceed. The characteristics of critical dependence are generally as follows:
- Uniqueness of supplier: if only one company produces a certain component (e.g. a microchip for an ECU, an airbag, a catalytic converter), the OEM (Original Equipment Manufacturer, i.e. the car manufacturer) is tied to that supplier in a critical way.
- Lack ofimmediate alternatives: the lack of alternative suppliers with the same capacity, quality or certification means that an interruption (strike, fire, bankruptcy, war, geopolitical crisis, shortage of raw materials) stops production.
- Cascade effect: if the component is needed for final assembly and cannot be replaced or bypassed, the entire process stops even if all other suppliers deliver
The problem with critical dependency is that the reorganisation required to cope with the emergency may be too time and costly compared to the available resources. Furthermore, as explained in thecascading effect, it is easy for this to generate ‘bottlenecks’ in the production process.
Production chain, wars and cyber domination
In February 2014, a Mercedes was speeding along an American road, a local businessman driving. Suddenly and without any warning, the steering wheel explodes in his face: the aribag inflates, the driver loses his grip on the steering wheel, the car swerves, overturns, the man dies. Just a few weeks later, similar accidents start to pile up, but there are not only Mercedes but also Toyota, BMW, Volkswagen. It seemed as if the cars had gone mad all at once, but instead everything was connected by a single supplier: the Takata Corporation. In 2015, 34 million cars were recalled in the US. Takata will have to pay the historic $940 million compensation and, as a result, the Takata Corporation will declare bankruptcy in 2017. This had a devastating impact on global car production: from Germany to the US via Japan. Takata is a classic example of what happens when there is a critical dependency in a sensitive production chain such as the automotive or aviation industry.
The JLR case has left many people amazed at the consequences of a cyber attack. This is a naive reaction: those who do not consider the supply chain from a cybersecurity perspective are simply short-sighted. Several articles in this portal have been dedicated to the importance of the supply chain (e.g.‘NIS 2 – Information, Security and Suppliers‘). We must bear in mind that the European economy is closely interconnected and, among other things, lacks certain technologies that it acquires from foreign markets out of necessity. Manipulation of the so-called supply chain can produce effects of varying magnitude with far from negligible intensity; the case of the JLR should be more than enough of an example.
International input on good practice and points of failure
As written at the beginning of the article, international good practice (the standards) has, for more than a decade, required that due attention be paid to the relationship with the supplier. This attention is certainly formalised within a contract with due service levels, but not only. Communication and incident management strategies are the central aspect, and it is also good to realise that critical dependency cannot be ignored as an impacting factor in the production scenario. In IT, the concepts of replication, deduplication and redundancy are essential but require appropriate implementation strategies, without which the activation of these capabilities would founder. This brings us to a second aspect of interest: the single point of failure. The single point of failure is that element that generates the critical dependency because, when it is compromised, it generates a large-scale service interruption. AWS, Microsoft Azure and Google Cloud control the majority of the market; an outage in one of their regions can bring global services to a halt with vast and unmanageable repercussions. Much of the enterprise world depends on Microsoft Windows Server or certified Red Hat/Ubuntu Linux; licensing issues, vulnerabilities or incorrect support policies can bring entire ecosystems to a halt. Some product flaws are capable of producing large-scale consequences at the same time: imagine zero-day flaws in widely deployed antivirus or security devices.
- In July 2024, DigiCert discovered an error in the way it verified that a certificate applicant actually had domain control (DCV). Tens of thousands of SSL certificates were erroneously revoked(follow-up link).
- Fortinet released patches for two vulnerabilities in firewall devices that were actively exploited in ransomware attacks. Many companies that had not applied the patches were left vulnerable(about 50,000), with exposure via the public management interface. This highlights the extent to which a single flaw in a network security vendor can compromise tens of thousands of cascading devices(in-depth link).
Dependence on a single entity can be very complicated to manage when the single point of failure is hit by an accident, dragging its customers with it. It is therefore necessary to act in several ways:
- Upstream: with a clear architecture design that can guarantee redundancy, high availability and even geo-redundancy if necessary.
- During: by establishing robust supply contracts and up-to-date and effective monitoring and incident management strategies.
- Downstream: with proven incident response, adequate recovery anddisaster management(disaster recovery) capabilities.
Conclusion
The recent increase in geopolitical complexity favours the concentration of cyber attacks in specialised organisations. These companies, until now, have had very few problems managing cyber incidents or, in any case, have not had to worry about taking care of business continuity and disaster recovery aspects. It should be understood that these organisations could become, despite themselves, directly or indirectly part of a cyber incident that would disrupt and alter the integrity of the entire production chain and, in some cases, significantly damage the economy of a given country. Developing alternative plans ensures the most efficient response possible, it does not allow one to work miracles, but neither does it allow one to navigate blindly in the dark.
