How one human error (almost) brought down a giant? The cyberattack on Jaguar Land Rover

Do you think cybersecurity is only a problem for the IT department? That “it doesn't concern you”? Or that your company has “nothing to steal”? Tell that to Jaguar Land Rover (JLR).

The massive cyberattack that hit the company on August 31, 2025, paralyzed it for more than six weeks. In the worst-case scenario, this attack could have led to the complete collapse of one of the pillars of the British economy. This is not a theory. It really happened, right before our eyes.

The attack on Jaguar Land Rover was a classic example of ransomware—software that encrypts data and demands a ransom for unlocking it. The attackers, identified as the English-speaking group Scattered Spider, struck with surgical precision. The incident began on August 31, 2025, and was detected on the same day. The response was immediate—production was halted on September 1. However, this was not a short-lived problem.

The attack was not limited to one factory. The shutdown affected both key plants in the UK and foreign branches. For over a month, not a single car rolled off the assembly lines, which normally produce dozens of cars a day. Initially, the company hoped to resume operations on October 1, but the scale of the damage was too great. It was not until October 8, 2025, after more than six weeks, that the company announced the start of a “controlled, phased restart of production.”

The financial impact is hard to imagine. It's estimated that the shutdown cost JLR up to £50 million a week. Economists put the total revenue loss at £2.2 billion. The situation became so serious that the British government had to intervene, guaranteeing the company a £1.5 billion loan to protect it from collapse and insolvency.

However, the figures do not tell the whole story. The attack directly affected 30,000 JLR employees and over 100,000 people employed throughout the supply chain. Companies such as Genex UK, Evtec, WHS Plastics, and OPmobility, which are suppliers to JLR, had to send people on unpaid leave or reduce their workforce. Even competitors felt the effects.

Aston Martin officially informed the London Stock Exchange that it could not rule out a negative impact of the incident on its own finances. The collapse of the local economy was visible to the naked eye.

Pub and café owners in the vicinity of the factories reported that employees, fearing for their future, had stopped spending money. Families lived in fear of whether they would be able to provide Christmas for their children.

It's not just their problem. We have our own “JLR.”

Think this is a distant problem? Wrong. We don't need to look to the UK to see the paralysis caused by ransomware. We have our own painful examples.

Remember the chaos at the Air Ambulance Service (LPR)? It was the same scenario. In 2023, attackers blocked key systems, preventing flight planning, among other things. The coordination of life-saving operations was at risk. All because of an attack that probably started with an infected attachment.

And that's just the tip of the iceberg.

Attacks on Polish companies such as Suder and EkoTrade show that Polish businesses are also targets. Both companies fell victim to ransomware, which resulted in data encryption and huge financial and operational losses. The statistics are alarming: Poland is among the top five countries in the world most frequently and most effectively attacked by ransomware. We are a very attractive and, unfortunately, often easy target for cybercriminals.

Why is man still the weakest link?

How is it possible that a group of hackers can break into a billion-dollar corporation, paralyze the emergency medical system, or shut down a Polish factory? They didn't have to break down any digital doors. All it took was for an unwitting employee to open them. People are still the weakest link.

In the case of JLR, the Scattered Spider group is known for its specialization: calling people. This is known as vishing (voice phishing). The attackers call the helpdesk or employees directly, impersonate someone else (e.g., an IT technician from another location), and manipulate the conversation in such a way that the victim gives them their passwords or installs an “urgent update.”

In the case of LPR and many other attacks, the vector is even simpler: classic phishing. All it takes is one email pretending to be an invoice, an urgent order from the boss, or information from the HR department. One unaware employee, one click on the wrong attachment, and disaster strikes.

Do you think this is rare? In one of the phishing attack simulations I conducted, as many as 63 people opened the fake email, and 37 of them entered their real company passwords on the fake website. Just one of them would have been enough to take over the company.

What can you do about it?

The attacks on JLR, LPR, and EkoTrade clearly show that cybersecurity is not just an IT task. It is the responsibility of every employee. The cost of education and training is a fraction of the £2.2 billion lost by JLR or the paralysis of a life-saving system in Poland.

Technical security measures are important, but without aware people, they are like the most expensive security doors left wide open.