Mastodawn

Kevin Beaumont Sep 23, 2025

Edit: I broke the thread again by mistake. Prior thread: https://cyberplace.social/@GossiTheDog/115242040984922549

Jaguar Land Rover have extended their car production shutdown for at least another week: https://www.bbc.com/news/articles/c15kpxnn2p2o

There’s a curious and unsourced line at the end of the BBC article: “JLR is currently taking the lead on support for its own supply chain, rather than any state intervention.”

If so, why are suppliers laying off staff and calling for government intervention?

Kevin Beaumont (@[email protected])

Attached: 1 image One awkward element to all of this is the UK Prime Minister launched his growth strategy, with the banner Securing Our Future, at Jaguar Land Rover. It was supposed to be how AI and automation would secure the UK economy. Edit: thread broke, it continues here: https://cyberplace.social/@GossiTheDog/115252536089032550

Cyberplace

Kevin Beaumont Sep 23, 2025

Jaguar Land Rover have no cyber insurance https://www.theinsurer.com/cyber-risk/news/exclusive-jaguar-land-rover-failed-to-secure-cyber-insurance-deal-ahead-of-2025-09-23/

Exclusive: Jaguar Land Rover failed to secure cyber insurance deal ahead of incident, sources say

Jaguar Land Rover failed to finalise a cyber placement brokered by Lockton ahead of the incident that halted the British carmaker's production, three senior cyber insurance market sources told The Insurer.

Kevin Beaumont Sep 23, 2025

Peter Kyle and Chris McDonald met JLR’s CEO and senior executives at its Gaydon headquarters to discuss latest situation.
https://www.gov.uk/government/news/ministers-meet-jlr-bosses-and-supply-chain-companies-to-help-secure-future-of-car-industry

Ministers meet JLR bosses and supply chain companies to help secure future of car industry

Peter Kyle and Chris McDonald met JLR’s CEO and senior executives at its Gaydon headquarters to discuss latest situation.

GOV.UK

Kevin Beaumont Sep 24, 2025

Robert Peston, who was the first to report on the government's bailout of banks in the 2008 financial crisis, reports the UK government is considering bailing out JLR's suppliers by effectively becoming the lender of last resort - by buying parts off suppliers, and then reselling them to Jaguar Land Rover.

In effect the UK government will become JLR's supplier's customer.

https://www.itv.com/news/2025-09-24/how-the-government-plans-to-support-jaguar-land-rover-suppliers

Kevin Beaumont Sep 24, 2025

If anybody is wondering, I took a tour of JLR's network border last night - everything is still offline, except for https://wslx.jlrext.com/ (single factor login), some routers running SSH to the internet, NTP and Fortigate firewalls with open ports to internet.

Kevin Beaumont Sep 24, 2025

The BBC reports “Senior government figures are concerned about a pattern of cyber attacks on UK institutions and businesses, such as the British Library, Marks & Spencer, and the Co-op.”

They should be. We’ve got to collectively work together to defuse the ransomware economy - even if that means repositioning security industry incentives.

We’ve also got to be deeply honest about where the challenges are coming from - which is not just Russia, but at home in the UK.

https://www.bbc.com/news/articles/c62nv0xx32go

Jaguar Land Rover: Government mulls financial support for supply chain firms

Fears are growing that some of the carmaker's suppliers could go bust without support.

Kevin Beaumont Sep 25, 2025

The FT has figured out JLR have no insurance.

I'm not sure they'll take the full cost of recovery though - since the government is likely bailing out their key suppliers.

https://www.ft.com/content/c301e78a-38e7-4818-b367-14af85130c61

Client Challenge

For those who haven't been following JLR in detail, key chain of events:

1) JLR outsource key IT and infosec functions to TCS, approved by 1x director and 2x NEDs on both JLR and TCS boards

2) JLR transfer staff by TUPE to TCS

3) TCS lay off transferred UK staff, including cyber risk and governance and cyber monitoring

4) record profits for a decade

5) got hacked

6) company stops functioning

7) get government to bail out their key suppliers (in progress)

Kevin Beaumont Sep 26, 2025

JLR have some of its IT systems back online. Production is still halted. https://www.bbc.com/news/articles/c0q75q4l87no

I can’t see anything internet facing back online. Looks like they have bits of SAP back for supplier payment of historic orders.

Jaguar Land Rover restarts some IT systems after cyber-attack

The carmaker says it is working through a backlog of payments as its IT systems come back online.

Kevin Beaumont Sep 26, 2025

If you’re wondering how JLR’s parent company, Tata Motors, is getting on - share price is up over the month. Investors don’t really care that a large part of the org shut down as they know the UK taxpayer will prop it up.

Kevin Beaumont Sep 26, 2025

The Chair of the Business and Trade Committee, Liam Byrne MP, has today written to TCS asking probing questions about the attacks on Co-op, Marks and Spencer and Jaguar Land Rover. https://committees.parliament.uk/publications/49627/documents/264574/default/

Kevin Beaumont Sep 26, 2025

Personally I think the UK is going to be one to watch now, as if I was an e-crime threat actor - I’d zero in on the UK.

Orgs have shown they will pay, teens getting in and poor MSPs shows poor security practices, the NCA won’t tell the ICO (data regulator) too around what actually happened, and the government will bail out orgs financially and provide IR help while they recover.

It’s all of the wrong messages being broadcast. Strap in.

Kevin Beaumont Sep 26, 2025

If you look at the NCSC UK too, their remit is to help make the UK the safest place to do business..

but if you look at the general output lately, it’s quantum stuff and firewall espionage stuff. They’re good people but it feels too close to GCHQ, and so too far removed from the operational reality on the ground.

Kevin Beaumont Sep 26, 2025

My view - saying the recent incidents should be a wake up call isn’t moving the needle enough in business.

So a lever is, if JLR need bailing out, put the PM on TV to announce it, explain why and the context of attacks on UK institutions, and announce paying all extortion attempts will be outlawed by the end of parliament. It would send shockwaves through business and force real resiliency planning.

Kevin Beaumont Sep 27, 2025

The Times (paywalled) reports JLR plan to restart some production in just over a week - "puts suppliers on notice for production at its Wolverhampton engine works to resume on October 6".

The prior update was production suspended until October 1st, so I imagine that is slipping.

Kevin Beaumont Sep 27

Government to guarantee £1.5bn loan to Jaguar Land Rover directly https://www.bbc.com/news/articles/cgl15ykerlro

Government to guarantee £1.5bn Jaguar Land Rover loan after cyber shutdown

Ministers hope the loan, from a commercial bank and underwritten by the government, will give certainty to suppliers.

Kevin Beaumont Sep 27

There’s a bit on TCS outsourcing of key roles at JLR here. https://www.telegraph.co.uk/business/2025/09/26/suspected-weak-link-in-jaguar-land-rover-ms-hacks/

Kevin Beaumont Sep 29

Jaguar Land Rover has sought £2 billion in emergency funding from global banks as the carmaker tries to ease the financial strain of cyber incident.

The funding is separate from a £1.5 billion loan, provided by a commercial bank and guaranteed by UK Export Finance, that the carmaker will repay over five years.

https://www.bloomberg.com/news/articles/2025-09-29/jaguar-land-rover-seeks-2-billion-emergency-funds-et-says

Kevin Beaumont Sep 29

MPs are now saying Jaguar Land Rover may need more government invention on top of the existing £1.5bn help https://www.bbc.com/news/articles/c62zggj69e0o

Jaguar Land Rover may need more government help, MP says

Liam Byrne spoke after the government announced it was backing a £1.5bn loan to the company, and warned cyber-attacks could become more common.

Kevin Beaumont Sep 29

Kevin Beaumont Sep 29

JLR say "some sections" of their manufacturing will restart in the coming days. Network border all still offline, btw.

Kevin Beaumont Sep 29

Obviously, it's going to be interesting to see the long term implications of all of this.

The next time there's a big ransomware incident in the UK (and there will be, as there's no real plan about how to deal with it), there's going to be calls for government financial intervention (via taxpayers) and NCSC to do incident response etc. Cyber resiliency for board = demand support when IT goes wrong.

Kevin Beaumont Oct 2

A senior civil servant refused to sign off on Saturday's announcement of financial support for Jaguar Land Rover, the government did a rare overrule of them and proceeded anyway. https://www.ft.com/content/33d91816-514f-4da1-b6dd-abedbc21df61

Kevin Beaumont Oct 3

JLR UK has been offline for so long they've gone from 400+ devices on Shodan to about 40

Kevin Beaumont Oct 4

From network border monitoring, I can see JLR have been working to get sections of their on prem services (behind FortiGate firewalls) back online this weekend, I’m guessing Monday is when more substantial restoration begins.

Kevin Beaumont Oct 5

There we have it, JLR starting to phase back manufacturing. Externally it looks like they’ve managed to restore some systems.

https://www.bbc.com/news/articles/ckge0ex5g27o

Jaguar Land Rover expected to restart some production after cyber-attack

Work is to resume first at the carmaker's engine factory in Wolverhampton on Monday.

Kevin Beaumont Oct 9

JLR have restored some production at several sites, and are working to financially support some suppliers
https://www.bbc.co.uk/news/articles/c3w5g6683p8o

JLR factory production lines resuming hailed as 'significant moment'

Workers return to West Midlands and Merseyside factories in a "significant moment" for the company.

BBC News

Kevin Beaumont Oct 22

The ongoing cyber incident at Jaguar Land Rover has cost £2bn so far according to the CMC, who are credible.

JLR do not have any cyber insurance (not that it would help much as they all have policy limits far below that).

https://www.bbc.com/news/articles/cy9pdld4y81o

JLR hack 'is costliest cyber attack in UK history', experts say

The cyber attack on Jaguar Land Rover is estimated to cost £2.1bn, the Cyber Monitoring Centre says.

Adrian Sanabria Oct 14

@GossiTheDog went through the thread here, but didn't find a clear answer - do we know how attackers got their initial foothold into JLR?

Sounds like, if no, the obvious guess would be the same way M&S and Co-Op got hit since they were also using TCS?

Alastair Temple Oct 2

@GossiTheDog it being Kyle, what do we think the chances that he based his decision on "ChatGPT said the risk was ok" are? I am going pretty high.

VessOnSecurity Sep 29

@GossiTheDog
1) There will be one (big ransomware incident) even if there's a real plant about how to deal with it. Threat actors don't care about plans - they hit everything that has money and is vulnerable. Often even if it doesn't have money.

2) Government intervention in the free market is socialism. The government shouldn't bail out JLR, or banks, or whatever. Let them fail and be replaced by more resilient companies. Now everybody else will demand bailouts too.

Steve Loughran Sep 29

@GossiTheDog does this make it more profitable for the ransom groups "ask your government for 2000 BTC" or just reduce the need for companies to worry so much?

Ben Stewart Sep 29

@GossiTheDog Prime example of how to profit off of failure by doing literally nothing.

"How do I fail up?"
"Just wait"

eddy berthier Sep 29

@GossiTheDog too big to care in one headline 😔

@GossiTheDog Galaxy brain move from Tata

Alastair Temple Sep 29

@GossiTheDog at that point we are getting close to nominal value aren't we? They won't but it feels like getting close to emergency nationalisation territory (or at least "healthy chunk of shares with voting rights in exchange for the low interest loans and guarantees").

@GossiTheDog Capitalise the gains, socialise the losses.

F'ckn brilliant.

Schroedingers_Cat Sep 29

@GossiTheDog SUrely the invisible hand of the market will handle this?

Dr. Christopher Kunz Sep 29

@GossiTheDog This is just... wow.
1. Big, obviously system critical company gets sold to foreign corpo behemoth.
2. Critical roles in security get outsourced overseas to said corpo behemoth.
3. Behemoth fails to perform duties of said roles.
4. Company gets pwned.
5. Company wants bailout.
6. Government gives 3.5 billion bucks to company (tbc).

Expertenkommision Cyberunfall Sep 29

One might consider this as an act of war

Kenneth John Bardsley Sep 29

@GossiTheDog
Presumably because JLR are refusing to pay the ransomware demands ?

Dudula the Dud Sep 27

@GossiTheDog why do they get the money when JLR are owned by an Indian company? Especially when you remember they were abandoned by the government when they were owned by the British.

Adrian Sanabria Sep 28

@BackFromTheDud @GossiTheDog probably because they’re one of the largest employers in the UK

@GossiTheDog Oh good, with their profits from last quarter they can pay it off now!

Matt Palmer Sep 27

@GossiTheDog "loan money to JLR to protect the employees of their suppliers" is absolute galaxy brain thinking.

lambtor Sep 26, 2025

@GossiTheDog surely some kind of insurance coverage could be a requirement for these organizations? they don't want to spend on their own infrastructure, they can pay higher premiums.

Matt Palmer Sep 26, 2025

@lambtor insurance can only work if insurers can accurately assess and price risk. In an environment where the hazards are so dynamic, context-dependent, and adaptive to controls, that assessment and pricing is extremely difficult, hence why insurance has not, thus far, been a useful tool in managing information security risks.

Hashbangperl Sep 28

@womble @lambtor @GossiTheDog "too big to fail" is the insurance. Like the old saying about when you borrow enough money its the banks problem, if you employ enough people or have enough peoples pensions invested in you, failure becomes the government's problem, not the board's.

Offbeatmammal Nov 18

@GossiTheDog any bailout (especially of a foreign company) should give the taxpayer a stake in that company - the whole "too big to fail" mantra has a very questionable ROI for a country or the tax burdened populace

Offbeatmammal Nov 18

@GossiTheDog that, if nothing else, might ensure cyber-security is taken more seriously in the c-suites

AnneH Sep 26, 2025

@GossiTheDog What @ciaranmartin called "low-hanging fruit".

Ollie Whitehouse Sep 26, 2025

@GossiTheDog we have also recently released (last week) a buyers guide for external attack surface management - https://www.ncsc.gov.uk/blog-post/easm-buyers-guide-now-available - d

we also continue to push forward on Share & Defend too etc.

all of which are intended to protect the many and reduce the easy wins.

EASM buyer's guide now available

How to choose an external attack surface management (EASM) tool that’s right for your organisation.

JaxxAI Sep 26, 2025

@GossiTheDog at last, someone speaking up about the NCSC and its lack of impact. I don’t think they do a well enough job at all. They’re very ineffective. In the recent jobs I’ve had, the NCSC might as well not exist. They talk about protecting UK assets but it’s just radio silence on the basic IT stuff. They should be driving home messages about the IT basics, I should be hearing from them every day, they should be much more vocal. I get better service about cyber threats from Mastodon.

Adrian Sanabria Sep 28

@GossiTheDog there needs to be a whole lot more focus on resiliency and business continuity.

Too much focus on prevention and detection, not enough on recovery.

Hashbangperl Sep 28

@GossiTheDog NCSC are a complete waste of time. They dont speak to or with companies that can make a difference

@GossiTheDog we’re in for some chop for sure..

We’ve gone from 3 lines of defence and skills-based hiring to “let the cheapest bidder run our identity service and we’ll cross our fingers that they really do background checks and basic awareness training”
Also, cyber resilience?
We’re seeing teenagers directly skew the UK economy…
Nice work NCSC etc …
When you don’t really know who manages your stuff, grants access to your stuff, backs your stuff up or protects your stuff… you’ve outsourced responsibility whilst remaining entirely accountable
The threat actor ecosystem is largely driven by financial reward… which makes these supply chain watering holes irresistible…

Hashbangperl Sep 28

@GossiTheDog I worked in dns and hosting retail, massive target and constant fight against fraud and crimes from money laundering to cse.. guess how much interaction and support we had with uk and eu law enforcement and cybersecurity. Nada. Zip. Nil. Likewise credit card companies, they very rarely flagged stolen credit cards,.just charged back and threatened increased charges if there was a pike while we used multiple layers of anti-fraud tech and services. It feels like none of the big organisations that should be stepping up to fight online crime and fraud give even the tiniest fraction of a shit. ... but oh wait id card and database are back in UK government plans. For fucks sake

Dr. Christopher Kunz Sep 26, 2025

@GossiTheDog And then there's this, too. Shareholders don't give a damn if your products take down whole airports.

Simon Zerafa Sep 26, 2025

@christopherkunz @GossiTheDog

Probably payes for companies to buy back their shares in a crisis, to prop up the share price.

They see it as a better return on investment than actual cyber security.

Fritz Adalis Sep 26, 2025

@christopherkunz @GossiTheDog
Or stock price isn't rational and people aren't selling off because they don't own stock in airports or JLR.

crabbypup Sep 26, 2025

@christopherkunz @GossiTheDog

RTX is formerly known as Raytheon.

I doubt a few airports getting hacked even registers on the bulletin board of a defense contractor that is selling missiles hand over fist.

Dr. Christopher Kunz Sep 26, 2025

@crabbypup @GossiTheDog They said so themselves in their SEC filing: "No material effect on our business". Still, Collins is 1/3 of RTX total revenue stream, according to their 2024 annual report. So it's not nothing if this part of their corporation goes down the drain.
If I were an airport operator anywhere in the world, I'd look _very closely_ at how Collins handle this.

Peter Bindels Sep 25, 2025

@GossiTheDog so outsource all the liability and then you can just get the government to bail you out when shit does happen, while all the shareholders and directors get paid big bucks for "saving money".

Got it.

Mark Mason Sep 25, 2025

@GossiTheDog bonus culture in action.

@GossiTheDog given the shared ownership I hope the execs involved get charged with fraud along with whatever is appropriate for their obvious neglect of fiduciary duty

Mike Spooner Sep 25, 2025

@GossiTheDog I guess the obvious question is "how many of said suppliers were spun-off from JLR back in the day?"