Unless the hack was built on zero-days, I don't like the framing of the hack costing the UK economy billions.

The headline should be "Land Rover's Poor Cybersecurity and ITSEC Practices Cost UK Economy Billions", or something like that.

It works both ways, "Folks mad at bank for leaving the vault open."

"Victim's Lack of Locks Caused Burglary" "Victim's 3$ Padlock Invited Break In"

There aren’t many details available yet, but you can find some information here: https://treblle.com/blog/jlr-breach-breakdown-analysis

The main issue appears to be that the attack crippled JLR’s internal systems and production databases, preventing them from manufacturing new cars because they cannot properly track parts or generate serial numbers.

I’ve also read reports claiming that around 40k vehicles have already been built but are now essentially “ghost cars” since they aren’t registered in the system.

Imagine what would happen if JLR had to issue a safety recall without knowing which components are installed in which vehicles.

Did they not have a disaster recovery plan in place? It's not amazing that they got hit with a breach. It's amazing that they couldn't just "nuke from orbit" and start with a day-old snapshot (yeah, that's massively oversimplified, but still, it shouldn't take months and $billions$ to recover either).

And that 40k ghost car doesn't sound realistic. LR only makes ~400k vehicles/year. That 10% of their annual output got "lost" beggars belief.

to paraphrase mike tyson, everybody has a disaster recovery plan until they get punched in the face

They did have a good plan - which was to have the government bail them out. If you have that plan, there is no need to have any other plan.

From their point of view it was a good plan - given JLR is owned by Tata who had the resources to bail them out and didn't they (Tata) likely see it as a good deal.

Late stage capitalism in action as usual - privatise the profits, socialise the costs.

Technically what the government did was underwrite the loan but again - why is the government underwriting the loan when Tata has the resources to do that (13bn net income at last FY).

some info here https://www.cyfirma.com/research/investigation-report-on-jag...

> The breach was enabled through stolen Jira credentials harvested via Infostealer malware, a known hallmark of HELLCAT’s operations. The exposed data includes development logs, tracking information, source code, and a large employee dataset with usernames, email addresses, display names, and time zones. The presence of verified employee information from JLR’s global workforce raises significant concerns about identity theft and targeted phishing campaigns.

then

> the JLR breach escalated when a second threat actor, “APTS,” appeared on DarkForums on March 14, 2025. APTS claimed to have exploited Infostealer credentials dating back to 2021, belonging to an employee who held third-party access to JLR’s Jira server. Using these compromised credentials, the actor gained entry and shared a screenshot of a Jira dashboard as proof. APTS also leaked an additional tranche of sensitive data, estimated at around 350 GB, which contained information not included in Rey’s original dump, further amplifying the scale and severity of the breach.