The Weekly Reflektion 02/2026

4. January 2026

Society relies heavily on interconnected digital systems to manage manufacturing, supply chains, finance, and customer services. When these systems are compromised, the impact extends far beyond data loss, often causing production shutdowns, financial losses, and damage to national economies. Cybersecurity plays a critical role in protecting organizations from large-scale disruptions. We at Reflekt, as always, are concerned about measures to prevent Major Accidents. While we are not IT experts by any measure, we do recognise the vulnerabilities in any system that is designed and operated by people.

Are your cyber security systems working effectively?

On 31 August 2025, Jaguar Land Rover (JLR) discovered a breach in its internal IT systems. The systems were shutdown to contain the incident on 1 September. Production was halted for about five weeks. JLR reported direct costs of £196 million to address the attack and recover systems. The cost of recovery and the loss of sales resulted in a reported quarterly loss of about £500 million. The Cyber Monitoring Centre, a UK cybersecurity body, estimated the total cost to the UK economy at around £1.9 billion, potentially the costliest cyber incident in UK history.

The cyber-attack was carried out by the hacker group Scattered Lapsus$ Hunters and exploited a combination of human error and technical security gaps to breach the JLR systems. The attack was not a single sophisticated exploit, but rather a sequence of well-known tactics that granted them “master keys” to the company’s global network. The attackers leveraged a known Remote Code Execution (RCE) vulnerability in the SAP NetWeaver technology platform. While patches were available, the system at JLR remained unpatched at the time of the breach. SAP NetWeaver is a technology stack and middleware platform developed by SAP SE. It serves as the foundational infrastructure for most company SAP applications, including Enterprise Resource Planning (ERP), Supply Chain Management (SCM), and Customer Relationship Management (CRM)

The initial foothold was achieved through “vishing” (voice phishing). Hackers impersonated internal staff or IT help desk personnel to trick employees into disclosing valid credentials.Investigations revealed that some credentials used by the hackers were severely outdated, with some passwords stolen as far back as 2021 still active in 2025.

Multi-Factor Authentication (MFA) was either missing or inconsistently applied across sensitive applications like VPNs and Jira. This allowed the attackers to use stolen passwords without the need for a secondary verification step. JLR’s network lacked adequate separation between general IT and Operational Technology (OT). Once inside the IT environment, the attackers moved laterally into manufacturing control systems, forcing a total global production shutdown.

The hackers also used credentials stolen from a third-party contractor’s Atlassian Jira account, which provided architectural diagrams and internal data useful for planning the broader attack.

The Jaguar Land Rover cyberattack demonstrated a high level of technical sophistication and careful planning by the attackers. Rather than relying on simple malware or automated exploits, the hackers used a targeted, intelligence-driven approach designed to blend in with normal business activity. They focused on obtaining legitimate user credentials and abusing trusted internal systems, a strategy often described as “log in, not hack in.” This allowed them to bypass many traditional security defenses without immediately raising alarms. The attackers showed strong operational competence by studying JLR’s internal workflows, supply-chain systems, and IT dependencies before executing the attack. Their timing maximized disruption, and the way they moved laterally across connected systems revealed deep understanding of enterprise networks. This level of coordination, stealth, and system knowledge indicates that the operation was not random or opportunistic but strategically planned by an organized and highly capable cybercrime group.

The precise motive hasn’t been officially confirmed by Jaguar Land Rover, but several indicators point to financial or notoriety-driven criminal intent rather than a state political goal. The hacking operation resembled typical cybercriminal behaviour, such as ransomware-style disruption and credential theft.