When cyber becomes commercial: Lessons from JLR and a tough year for UK business

If you still think cyber risk is an IT problem, September to October 2025 should cure you. Jaguar Land Rover’s (JLR) cyber incident stopped production, knocked sales and forced a phased restart after more than a month of disruption during “new plate day”, no less. Suppliers were left scrambling for cash, while the Government and lenders worried about knock-on effects across the automotive supply chain. 

JLR wasn’t alone. Retail has had a torrid year: Marks & Spencer (M&S) endured a widely reported attack in April that shut down online orders for days and wiped hundreds of millions off its market value; Co-op disclosed a breach that cost £80m in H1 alone; Harrods has twice warned customers about third-party breaches in 2025. All this against an NCSC backdrop of rising “highly significant” incidents and louder warnings to boards. 

This piece is a practical briefing for senior management: what these incidents teach us, what UK GDPR expects of you and how to harden your business without killing agility.

What happened at JLR and why it matters beyond automotive

Duration and scale of the attack

The attack, first public at the end of August, paralysed factories and retail operations. JLR extended shutdowns to 1 October, then moved to a phased restart across the UK and overseas plants. Sales fell materially in the affected quarter. 

The supply-chain shock

The stoppage rippled into hundreds of SMEs. Some suppliers faced extreme cash-flow stress, prompting JLR to stand up accelerated payments and prompting public talk of government support/loan guarantees. 

The cyber insurance gap

Reporting suggested JLR had not finalised a cyber policy before the incident which is an uncomfortable reminder that self-insurance only works if your balance sheet can take the hit. Reuters put weekly losses at approximately £50m during the shutdown. 

Board takeaway: a single compromise can move from “IT outage” to production stop, missed revenue, supplier distress and political attention in days. That’s an enterprise risk, not a helpdesk ticket!

A pattern emerging across UK businesses in 2025

Retail sector examples: M&S, Co-op and Harrods

• Marks & Spencer: April’s incident halted online orders and payments, dented store operations and triggered weeks of recovery work amid attribution chatter around “Scattered Spider” methods. 
• Co-op: A prolonged attack cost £80m in operating profit and £206m in revenue in H1; containment required taking systems offline and recovery updates ran into mid-May. 
• Harrods: Two separate 2025 incidents (including a 430,000-record third-party data theft) underline the reality that your suppliers are your attack surface.

National trend: Escalating incidents and board responsibilities

The UK’s cyber authority has reported a sharp rise in nationally significant incidents; ministers have been publicly urging boards to treat cyber as a strategic risk. 

Board takeaway: While attack dynamics vary by sector, they tend to follow a familiar pattern: initial compromise through credential theft or social engineering, followed by privilege escalation, data exfiltration and ultimately disruption or extortion. These incidents often leave a long operational footprint and attract significant regulatory scrutiny, underscoring the importance of proactive security measures and robust incident response planning.

Understanding your legal duties under UK GDPR

When an incident involves personal data (customers, staff, suppliers), UK GDPR triggers apply. Three core duties matter to boards:

Reporting and notification duties

Assess and record whether there’s a “personal data breach” that risks people’s rights and freedoms (confidentiality, integrity or availability impact). If yes, you must notify the ICO “without undue delay” and within 72 hours of becoming aware. The 72-hour clock starts on discovery, not root-cause confirmation. Keep a breach log even if you decide not to notify.

When to notify individuals and the ICO

Tell individuals “without undue delay” if the breach is likely to result in a high risk to them (e.g. identity theft, financial fraud or exposure of sensitive data). This is separate from the ICO notification. 

Accountability and demonstrating compliance

Demonstrate accountability. The ICO will look for evidence you had proportionate security (Article 32), a breach response plan, vendor controls and an up-to-date Record of Processing (RoPA). The regulator’s enforcement this autumn (e.g. Capita: £14m for 2023 failings) shows it will fine where basic hygiene and timely response are missing. 

Related regimes

If you provide public electronic communications services (PECR) or are in trust services (eIDAS), additional and faster notifications can apply. Critical suppliers may also face sector rules. When in doubt, start the timer and log actions. 

When to call legal (and why)

As soon as you suspect a personal-data impact. Counsel helps triage materiality, structure the 72-hour ICO narrative, manage legal privilege over forensic reports and coordinate customer/partner communications so you don’t create liability with an imprecise message.

The long tail - liability, litigation and financial risk

Regulatory fines and exposure

Regulatory fines (UK GDPR): up to £17.5m or 4% global turnover, whichever is higher, although ICO practice focuses on proportionality and remediation; still, recent fines show real bite when basics are missing. 

Contractual and consumer claims

Contractual exposure: SLAs, availability commitments, data-processing obligations and indemnities can crystallise. Expect claims from B2B customers and tough renewals if you can’t evidence improvements.

Group/class actions: Consumer data incidents can prompt representative actions or coordinated claims, even when stolen data is “just” names and emails especially if phishing waves follow.

Costs

Direct costs: forensics, incident response, PR, legal, credit monitoring, overtime; indirect costs are bigger - lost sales, productivity, delayed projects, supply-chain remediation and insurance hardening. Reuters’ reporting around JLR’s weekly burn is illustrative. 

Insurance pitfalls and exclusions

Insurance traps: Cyber policies often exclude nation-state activity, require specific security warranties (MFA, EDR, backups), and can be voided by material non-disclosure. The suggestion that JLR had no finalised cyber policy at the time of attack is a cautionary tale. 

When to call legal (and why)

You’ll want a tight contract review (force majeure, liability caps, data indemnities), help notifying counterparties and advice on preserving privilege over internal documents and board minutes.

Practical playbook: 18 controls that make a real difference

This is the short list your board can hold management to. Most are low-friction, high-impact.

Identity and access

• MFA everywhere, particularly for email, VPN, remote admin and SaaS; enforce phishing-resistant MFA for admins.
• Privileged Access Management (PAM)and Just-in-Time admin rights; no standing domain admin.
• Conditional accessand geo/behavioural risk; block logins from impossible travel and known bad ASNs.

Endpoint and email

• EDR/XDR on all endpoints and servers; turn on automatic isolation for confirmed malware.
• Email securitytuned for social engineering (the hallmark in M&S/retail-style attacks) and MFA-reset abuse. 

Data protection

• Backups: 3-2-1 rule, immutable copies and restore testsquarterly; prioritise systems that keep you trading (payments, ordering, logistics).
• Data minimisationand tokenisation for high-value datasets (reward schemes, gift cards, PII that attracts ransomware crews).

Network and cloud

• Segmentationbetween IT and OT (manufacturing/plant); JLR shows why “flat” networks are dangerous in production environments. 
• SaaS posture management: audit third-party OAuth apps and over-privileged service accounts (a 2025 attack theme). 
• Zero-trust principlesfor crown-jewel apps: verify explicitly, least privilege, assume breach.

Monitoring and response

• 24/7 monitoring (internal or MSSP) with clear escalation runbooks; ransomware dwell time is measured in hours, not weeks.
• Table-top exerciseswith execs twice a year (include legal and communications). Simulate: “online orders down”, “supplier compromise”, “CEO account hijacked”.

People and process

• High-fidelity phishing drills and helpdesk procedures to stop social-engineering password resets (a Scattered Spider hallmark). 
• Joiners-Movers-Leavershygiene: instant deprovisioning; quarterly audit of dormant accounts.
• Third-party assurance: ask vendors for MFA/EDR attestations, recent pen-tests, sub-processor lists and UK transfer safeguards. Harrods’ experience shows why. 

Governance and readiness

• Incident communications plan: pre-draft customer, employee and regulator notices; keep contact trees offline.
• Breach decisioning: an internal 72-hour playbook what gets logged, who decides, how to assess “high risk”to individuals. 
• Cyber insurance: model realistic scenarios (e.g. two-week outage) and verify that policy conditions match your controls; close any gaps before Reuters’ JLR coverage is your board paper. 

When to call legal (and why)

Ensure your RoPA, privacy notices and DPIAs reflect new technical controls; embed contractual security baselines into MSAs and SaaS agreements and establish pre-agreed incident retainer terms with forensics and crisis communications teams so you’re not negotiating under pressure at 3am.

The first 72 hours: Your breach response checklist

Hour 0–6: Containment and coordination

• Contain: isolate affected systems, revoke tokens, rotate keys, disable compromised accounts.
• Stand up the incident cell (Tech, legal, communications, HR and executives)
• Start the breach log and evidence preservation.

Hour 6–24: Assess and communicate

• Triage data impacts: what personal data, whose, how much, where?
• Engage forensics under legal privilege; align on working hypotheses and scope.
• Draft holding lines for customers, staff and partners (don’t over-promise).

Hour 24-48: Notify and stabilise

• Decide ICO reportability and whether individual notification is required; if in doubt, prepare to file. 
• Notify key customers/authorities where contractually required.
• Stabilise critical services (payments, ordering, logistics) and publish service status.

Hour 48–72: Report and brief

• File the ICO notification (you can file updates later; don’t wait for a perfect RCA). 
• Approve customer messaging if high risk to individuals (clear and factual with support offered).
• Brief the board and insurers; capture major decisions for audit.

Five board questions to ask this week

1. If production or online sales stopped for 10 days, what’s our weekly burn and how do we fund it? (Run the cash scenario.)
2. Show me our last restore test of payments/ordering/ERP. Did we meet the RTO we tell customers?
3. Which supplier, if compromised, would take us down? What have we verified about their controls?
4. Where is our 72-hour playbook? Who owns the decision to notify the ICO?
5. Does our cyber policy actually respond to our likely scenario? (Check warranties, exclusions, waiting periods.) 

Final thought: Resilience is a leadership choice

The lesson from JLR, M&S, Co-op and Harrods isn’t that “nobody is safe.” It’s that resilience is a leadership choice: plan for breach, practise the plan and make security boringly normal across the business. The companies who do that may still get hit but they’ll get back up faster, protect their customers better and have a sharper story for regulators and investors.

If you want a quick external sense-check, ask your advisors to run a 2-hour breach readiness review against the playbook above. It’s the cheapest insurance you’ll buy this year.

Sources and further reading

• JLR incident and restart: The Guardian coverage on phased restart, sales impact and supplier financing; Reuters on duration, weekly losses and insurance. 
• Retail incidents: The Guardian on M&S outage, attribution reporting and market impact; Reuters on Co-op costs; Computer Weekly on Harrods third-party breach. 
• Regulatory duties: ICO guidance on 72-hour reporting and breach handling. 
• Macro: UK/NCSC warnings on rising significant incidents and board responsibility. 

The information provided in this article is provided for general information purposes only, and does not provide definitive advice. It does not amount to legal or other professional advice and so you should not rely on any information contained here as if it were such advice.

Wright Hassall does not accept any responsibility for any loss which may arise from reliance on any information published here. Definitive advice can only be given with full knowledge of all relevant facts.  If you need such advice please contact a member of our professional staff.

The information published across our Knowledge Base is correct at the time of going to press.