Major Cyber-Attack on Jaguar Land Rover Sparks Urgent Response as Staff Undergo Password Resets
In September 2025, Jaguar Land Rover (JLR) fell victim to a significant cyber-attack, prompting immediate action from the company’s cybersecurity leadership. One of the very first decisions made was to instruct over 30,000 employees on-site to reset their passwords—an essential measure aimed at safeguarding the integrity of communication channels during a turbulent period.
During a session at the Infosecurity Europe conference on June 3, Ashish Shrestha, who served as the group Chief Information Security Officer (CISO) of JLR at the time of the incident and is currently the CEO of Zyn Global, elaborated on the necessity of this decisive move. He stated that the company aimed to ensure that all staff identities were verifiable and trustworthy in the aftermath of the breach while they commenced a full-scale response.
Shrestha emphasized that determining whether their Microsoft 365 environment had been compromised represented a top priority. He recognized the invaluable role this communication tool played in the organization’s internal and external dialogue, asserting, "We need that to communicate." His insights came during a session titled ‘Crisis Communications – Contingency Plans to Put in Place Now,’ reflecting on the chaos stemming from the cyber-attack.
He further explained that if any indications existed that a user account within their Microsoft 365 environment had been compromised, they would no longer feel secure using it as a communication channel. As a precautionary measure, JLR required all staff to reset their passwords in person. Shrestha stated, “One of the first and foremost things was we did an enterprise-wide password reset for 30,000 people. And we asked every individual to come on site to do it.”
The Need for In-Person Password Changes
The rationale behind requiring staff to change their passwords in person was firmly anchored in trust and verification. Shrestha articulated that while there was no visible sign of an overall compromise of usernames and passwords, he felt a compelling need to ensure that every user was indeed who they claimed to be. The threat of remote password changes loomed large, raising the potential for attackers to alter passwords of compromised accounts should they have gained control.
To mitigate these risks, Shrestha triggered a comprehensive password reset—one that encompassed not merely basic log-in credentials but also multi-factor authentication (MFA). He explained, “Although identity and access management wasn’t compromised, I triggered an enterprise-wide password reset and reset everything, including multi-factor authentication, validating the identity of the human and associating their body with the ID.”
The scale of the attack significantly hindered JLR’s operations. Production and sales were ground to a halt for various weeks, leading to a drastic downturn in sales for the automotive giant in the months following. When considering the broader implications, the cost of the cyber-attack was staggering; it was labeled the most severe cyber incident recorded in the United Kingdom, costing the national economy approximately £1.9 billion (around $2.55 billion).
A Far-reaching Impact on the Supply Chain
The ramifications of the attack were not confined solely to JLR. An estimated 5,000 organizations within JLR’s supply chain were affected, illustrating how interconnected these modern operations are and how a single breach can cascade through an entire industry. This highlighted vulnerabilities that many organizations might overlook in their cybersecurity assessments.
The group responsible for this cyber-assault, identified as Scattered Spider, sent shockwaves through the cybersecurity community. Known for orchestrating various high-profile cyber incidents during 2025—including ransomware attacks that targeted several major retailers such as Marks & Spencer and The Co-op—Scattered Spider completed a striking assault against a prominent UK automaker.
As JLR continues to recover from the extensive damages inflicted by the cyber-attack, the lessons learned resonate through the industry. Emphasizing in-person verification when safeguarding sensitive information appears exceedingly pertinent in today’s era of digital communication. JLR’s proactive measures serve as a blueprint for organizations globally to consider how they might respond effectively if faced with similar challenges in the ever-evolving landscape of cybersecurity.