marcin-lis.pl

SysOps, Atlassian Admin, ITSM Manager, Agile Enthusiasts.

Hacking attacks on UK companies

17 October, 2025 – Reading time: 6 minutes

Jaguar Land Rover (JLR)

Jaguar Land Rover (JLR) has fallen victim to one of the most destructive cyberattacks in the history of the British automotive industry. The attack, which began on August 31, 2025, led to a complete halt to global production and caused a domino effect throughout the supply chain, generating losses estimated at £5-10 million per day. A group called "Scattered Lapsus$ Hunters" - a coalition of three well-known cybercriminal collectives - has claimed responsibility for the attack:

  • Scattered Spider - a loose network of young hackers, mostly teenagers from the UK and the US
  • Lapsus$ - a group known for attacks on large technology corporations
  • ShinyHunters - specializing in data theft and extortion.

The Scattered Spider is a particularly dangerous group, consisting mainly of young people, some as young as 16 years old, coming from an English-speaking hacker community called "The Com". The group was previously responsible for attacks on M&S (£300 million in losses), Co-op and Harrods.

The attackers used a combination of advanced techniques:

  • Social Engineering - manipulation of IT employees to gain access to systems
  • SAP NetWeaver vulnerability exploitation - exploitation of critical vulnerabilities CVE-2025-31324 and CVE-2025-42999
  • Lack of authorization in Visual Composer - allowed unauthorized access to systems

The main reason for the success of the attack was the exploitation of critical vulnerabilities in the SAP NetWeaver system. These vulnerabilities enabled attackers to:

  • Execution of arbitrary commands on SAP servers
  • Upload malicious executable files
  • Full System Control

Additional factors affecting the scale and effects of the attack were:

  • Timing of the attack - hackers chose the worst possible moment, the beginning of September, when new license plates are introduced in the UK
  • The complexity of the systems - high automation of production meant that the IT shutdown paralyzed the entire production
  • Supply chain integration - interdependence with suppliers has caused a domino effect

The effects of the attack were staggering. Production was completely stopped, there were problems with distribution, and the whole thing had a measurable financial effect. Not only that, but the effects were felt not only by Jaguar Land Rover, but also by its related and cooperating companies.

  • Solihull, Halewood and Wolverhampton factories closed
  • About 1000 cars a day are not produced
  • Plants in China, Slovakia and India also affected
  • Dealers are not allowed to register new vehicles
  • Customers cannot pick up the ordered cars
  • Spare parts systems were offline, preventing the service from working
  • £5-10 million a day in lost profits
  • With a normal turnover of £75 million a day, the loss is catastrophic
  • Up to 250,000 people in JLR's supply chain (just-in-time suppliers are particularly vulnerable)
  • Around 6,000 employees have already been laid off at Evtec, WHS Plastics, SurTec and OPmobility
  • Small and medium-sized companies are facing bankruptcy (lack of liquidity with smaller suppliers)
  • Some companies have already taken out loans for payouts

Why is the impact so great?

JLR's critical importance to the UK economy - JLR is the UK's largest car manufacturer, accounting for 4% of total UK merchandise exports. The company employs 34,000 people directly and supports tens of thousands of jobs indirectly. In addition, the timing was "perfect" for the attackers - September is a key month for car sales in the UK due to the introduction of the new "75" license plates. Experts call this the "worst possible moment" for an attack. JLR's modern factories are fully automated and dependent on IT systems, so shutting down the systems means stopping production lines immediately. In the current house, the car consists of about 100,000 components from various suppliers. The production halt at JLR immediately affects the entire supplier network, and at the same time the automotive industry relies on just-in-time deliveries, which means minimal inventory. From this comes a simple conclusion - any disruption immediately paralyzes the entire production.

A wave of cyberattacks in the UK - a common denominator

All major companies attacked by Scattered Spider in the UK (except Harrods) use Tata Consultancy Services (TCS) to manage their IT and cybersecurity. This finding suggests that TCS may be the main attack vector used by hackers.

Jaguar Land Rover

  • TCS Report: Partnership Expansion in 2023 to £800 Million for 5 Years
  • Scope of services: ERP (SAP S/4 HANA), IT infrastructure management, cybersecurity
  • Status: Attacked September 2025, still partially offline

Marks & Spencer

  • TCS Relationship: Primary IT Partner since 2018
  • Scope of services: Digital transformation, infrastructure management, help desk
  • Confirmation: At least two TCS employees had compromised M&S logins
  • Status: Attacked in April 2025, losses of £300 million

Co-op

  • TCS relationship: IT partner since 2010, expansion in 2024
  • Scope of services: Business transformation, core systems, cloud first strategy
  • Status: Attacked in May 2025

Qantas (Australia)

  • TCS Relationship: TCS Client
  • Status: Attacked by the Scattered Spider in 2025

Harrods - the exception that proves the rule

Harrods is the only company attacked for which no confirmation of cooperation with TCS has been found. Importantly, the Harrods employee stated that their impact was less because the third party had very limited permissions in Harrods systems, possibly through Just-In-Time access.

The methodology of the Scattered Spider group is simple - it uses IT vendors as attack vectors. They use a few relatively simple methods:

  • Recognition: Collecting information about IT employees from social media
  • Social engineering: Calling the help desk with credible excuses
  • Compromise: Gaining access via password reset/MFA
  • Escalation: Exploiting Privileges to Attack Real Targets

Cybersecurity experts directly point to the TCS help desk as a weak point:

Kevin Beaumont (Cybersecurity Consultant): "It's well known in the cyber industry that hackers call help desks and ask for access, getting it with ease. TCS provided these help desk services, shared between customers"

TCS offers shared IT services for different customers, which creates the risk of:

  • One compromised help desk can give access to many companies
  • TCS employees have permissions on different customer systems
  • Lack of proper segmentation between customers

TCS conducted an internal investigation into M&S, but found no evidence of breaches of its own systems. The investigation was completed in June 2025 and resulted in the conclusion that "No TCS systems or users have been compromised." However, experts question the independence of TCS's investigation, because TCS examined itself, which causes an obvious conflict of interest in the management structures of Tata Group, and there was no independent external audit. The TCS case shows a systemic threat to the UK's national security, because one IT provider operates key infrastructure. In addition, it is clear that outsourcing cybersecurity to one company creates a single point of failure, and in addition, there is a lack of independent control over suppliers outside the UK. Companies using TCS should urgently review their environments, especially review the permissions of TCS employees, implement additional identity verification controls, consider diversifying IT providers (relying on just one is never a good option), and introduce access segmentation for third parties.

Speaking of other TCS clients, we are talking about over 150 customers in the UK served by TCS, including many large companies such as:

  • Morrisons
  • Sainsbury's
  • Kingfisher (B&Q, Screwfix)
  • Boots
  • Lloyds Bank
  • Nationwide
  • British Airways
  • BT
  • National Grid
  • easyJet
  • Three UK (cybersecurity)

As you can see from the list of the largest customers, the consequences of similar attacks can be catastrophic. The pattern of attacks suggests that the attacks are not random, but strategically targeted to exploit TCS's trusted customer relationships. The TCS help desk, serving multiple customers at the same time, has become an ideal target for the social engineering of young, English-speaking hackers from the Scattered Spider group. For the UK IT industry, this means an urgent revision of the approach to outsourcing critical cybersecurity functions and greater control over third-party vendors.