Britain’s Costliest Cyber Attack Was Never About the Data

What Jaguar Land Rover, M&S and the Co-op reveal about the difference between compliance and resilience

In late August 2025, someone at Jaguar Land Rover noticed something odd on the network. Within days, JLR had shut down its own IT systems to contain what would become the most economically damaging cyber attack in British history. Production stopped at three UK plants for the best part of six weeks. The UK’s Cyber Monitoring Centre later modelled the total cost to the economy at £1.9 billion, with a plausible range of £1.6 billion to £2.1 billion, and found that more than 5,000 organisations across JLR’s supply chain felt the impact.

Ciaran Martin, who chairs the CMC’s technical committee and used to run the NCSC, called it the most financially damaging cyber event Britain has ever recorded.

I’ve sat through a lot of board conversations about cyber risk over the years, and most of them are still built around the wrong half of this problem. That £1.9 billion figure has almost nothing to do with stolen data. The attackers, a loose collaboration operating under the banner Scattered Lapsus$ Hunters, did take information, but the number is overwhelmingly a story about lost manufacturing output. JLR had spent hundreds of millions of pounds on outsourced IT and cybersecurity management, under a five-year contract with Tata Consultancy Services worth roughly £800 million, signed in 2023. None of that spending stopped production grinding to a halt, because the attack’s real weapon wasn’t data theft. It was the decision, forced by the intrusion, to switch off the systems the business needed to keep making cars.

Same attackers, same month, opposite outcomes

If JLR shows you how bad this can get, a different pair of incidents from the same period shows you why some organisations get hit so much harder than others.

In April 2025, Marks & Spencer and the Co-op were both compromised by the same broad cluster of attackers, Scattered Spider working alongside DragonForce ransomware. The CMC assessed the two incidents together as a single Category 2 systemic event, with a combined financial impact of £270 million to £440 million. The two companies’ experiences of that event were about as different as they could be.

At M&S, the attackers got in on 17 April. Nobody noticed until the afternoon of 19 April, by which point they had moved through the network and deployed ransomware. M&S suspended online sales for 46 days, at a modelled cost of roughly £1.3 million a day. Statutory pre-tax profit for the six months to 27 September collapsed from £391.9 million to £3.4 million. Direct incident costs came to £101.6 million, partly offset by £100 million of cyber insurance. The retailer’s own estimate of the hit to operating profit was around £300 million.

At the Co-op, the same broad threat cluster got in, and the story more or less stopped there. The organisation detected the intrusion within minutes and proactively disconnected its own network before real damage was done. It refused to pay a ransom. The bill was still substantial: roughly £206 million in lost revenue, and the personal data of 6.5 million members was compromised. But there was no ransomware deployment, no weeks of suspended trading, no collapse in profit. Co-op’s Rob Elsey later explained that the company’s defences activated immediately, cutting off the compromised account before it could do lasting damage. The board, it turned out, had already war-gamed something close to this exact scenario.

Same attackers. Same month. One organisation noticed within minutes and cut the intrusion off. The other took two days to notice, by which point the damage was already structural. That gap is the entire difference between a case study in resilience and a nine-figure write-down, and it had almost nothing to do with how sophisticated the attackers were.

Why the rules are catching up

This is the backdrop against which the UK’s Cyber Security and Resilience Bill has been moving through Parliament since November 2025. It’s the biggest rewrite of UK cyber law since the 2018 NIS Regulations, and its expanded scope reads like a direct response to exactly the failure points JLR and M&S exposed. Managed service providers are being brought into scope for the first time, an estimated 900 to 1,100 of them. UK data centres above certain capacity thresholds are now regulated directly. So is any critical supplier to an already-regulated organisation, whether or not it has ever thought of itself as part of the country’s critical infrastructure.

The penalties are real enough: up to £17 million or 4% of global turnover for a serious breach, daily fines for letting things drag on, a 24-hour early warning and a 72-hour full report to your regulator and the NCSC. But the penalties matter less than what they represent. Regulators have noticed what JLR and M&S proved in public: a supply chain is only as resilient as its most poorly defended link, and that link is increasingly a supplier or service provider rather than the household name at the centre of the story.

The complication nobody’s talking about

One part of the JLR story doesn’t get discussed nearly enough. Facing a supply chain in genuine danger of collapse, the UK government stepped in with a £1.5 billion loan guarantee to keep JLR’s suppliers solvent while production was offline. By most accounts, a reasonable emergency response to a genuine crisis.

Ciaran Martin, the same person who described JLR as the costliest cyber event in UK history, later warned that the bailout risks becoming a dangerous precedent. His worry isn’t whether JLR deserved the help. It’s that intervening case by case, without clear published criteria for when the state will and won’t step in, quietly shifts the cost of poor resilience planning from the company that under-invested onto a taxpayer who never got a vote in the decision.

That’s worth thinking about if you run technology or security for any organisation with a supply chain of meaningful size. The Cyber Security and Resilience Bill will eventually force a baseline of preparedness onto the organisations it covers. But regulation moving through Parliament in 2026, with full effect not expected until 2028, is no substitute for the harder, less glamorous work the Co-op had already done before its own crisis arrived: segmenting the network so one compromised account can’t move freely, rehearsing the response so the first hour isn’t spent working out who’s in charge, and building a board that has actually sat through the exercise of deciding what to do when the systems go down.

JLR and the Co-op leave every technology leader with the same question, and it isn’t about compliance. If the same attackers turned up at your door tomorrow, would you be the company that noticed in minutes, or the one that noticed two days too late?


Arik Fletcher is a fractional vCTO, vCISO and vCIO working with organisations across financial services, healthcare, manufacturing and hospitality

Sources: Cyber Monitoring Centre, statements on the Jaguar Land Rover incident (October 2025) and the combined April 2025 M&S/Co-op systemic event; Bank of England, Monetary Policy Report, November 2025; Marks & Spencer interim results for the six months to 27 September 2025; Co-op public statements on its 2025 cyber incident; The Register, “JLR cyber bailout risks dangerous precedent, watchdog warns,” 20 March 2026; UK Parliament, Cyber Security and Resilience Bill, and House of Commons Library briefing CBP-10442.