Bank of England says JLR's cyberattack contributed to UK's unexpectedly slower GDP growth The Bank of England (BoE) has cited the cyberattack on Jaguar Land Rover (JLR) as one of the reasons for the country's slower-than-expected GDP growth in its latest rates decision. We've not had anything like this before, where the company has not made any cars for a month In the announcement on Thursday, the BoE - which …
(as if we did not know that already) so when are government and corporations going to put real effort and funds into preventing it in the first place ?
100% prevention is a pipe dream but we can reduce the number of attacks and/or their impact.
The trouble is that it is cost today for probable benefits tomorrow - something that short term attitudes by politicians and corporate bean counters are averse to.
Agreed. Security should be baked in from the beginning. Unfortunately it always seems to be bolted on after the fact. This is suboptimal and leaky as fuck. Doing things right costs money up front, not doing it right costs a fuck tonne of nightmarish horror down the line. How many times do we see this? When will it change?
"When will it change?"
By now it should be dawning on boards and, I hope, fund managers, that insurance isn't really going to cover the reputational damage and general chaos that they've seen the Co-op, M&S & JLR experiencing. They should be asking their IT depts what they're going to do about hardening systems, building in resilience etc. (BTW have any commentards been on the receiving end of such questions?). I do fear, however, that some are going to simply reply "More Microsoft" if comments here are anything to go by.
"They should be asking their IT depts what they're going to do about hardening systems"
I imagine that in a great many corporations, their IT department (where they still have something significant enough to call an IT department on the premises as it were), have already tried to impress upon their managers a need for greater attention and expenditure being needed to keep the corporation's IT systems secure from attack, and those managers have rebuffed their warnings because it will cost money/impede communications between them and suppliers/customers, or because they really don't comprehend the consequences of such an intrusion, and (not being very knowledgeable regarding computing and the internet in general) they think whatever basic security they already have is all they need and so think their systems are already safe, or have the attitude "It's OK, we're insured".
The problem requires not just legislative action by Governments, and realisation that more needs doing by the Boardroom, but needs a prolonged and effective process of educating those in management roles within a company as to the actual level of risk they are currrently facing and are increasingly likely to face in the future.
This is also going to require arrogant management to accept that they don't know and don't understand IT and the internet, which is something that (judging from the reports that members of IT departments have frequently related on these discussion boards regarding management ignorance/arrogance/pig headedness on IT matters) appears to me to be the biggest hurdle to overcome.
Fully agree.
There have been a number of projects come past my door for review over the years, where the holes in the design and lack of appropriate security controls are blatantly obvious. These get raised with the project SA for resolution and references to the relevant security policies and approaches are given, so that they have the info they need to fix the problem. The SA's often come back afterwards saying that they know its not right, but the project is not listening. If they are a contract resource, then they don't want to rock the boat too much.
Then the politics starts and some manager somewhere whines about impacts to delivery lead times and moving things right to another release, or the age old "we've added it to the backlog", which transaltes to "we are not doing it". One place even had backlog items automatically close if they were not updated in 6 months. I've even had some maangers state that "competitors are doing it the same way", as if that magically makes the problem go away.
Then security get involved and advise again on what is needed, supporting architecture, yet the project "governance" (what governance ???) seems to be able to slip by in any of a number of creative ways by going up the management ladder and accepting the risk - to someone who doesn't understand what they are signing off. Then all the management deck chairs get re-arranged or someone leaves and someone else ends up in the role, without knowing about the problems that they are now responsible for. Many times the risk in the risk register is poorly worded and doesn't accurately reflect the original problem. I've seen them closed as "fixed" before, with no re-work actually happening. This came up when we chased an open defect for an update, some 6 months after it was raised and recorded.
I've even had projects argue with the results of the pen tests and try and argue that its not a real issue, when the person arguing the fact hasn't got a clue what the problems being reported are. The hide, it, park it, promise it for the future game then repeats again.
Until organisations start listening to the experts that they have already hired, and start closing issues out rather than trying to constantly hide the problem in a giant game of corporate chess, then things wont improve.
Lots of corporations do put funds in to the problem.
They purchase something called "cyber insurance".
As long as they have a cyber security essentials certificate to go with it they are all good and can tell everyone they are fully protected from cyber threats.
At a recent employer we had a little "ritual" whenever a client needed to renew their cyber security essentials certification. The relavant manager would call me to let off some steam by ranting about the latest bullshit questions from the assessor. When they were done I would ask "Did they add a requirement to encrypt laptop hard drives yet"? They would then answer: "No, which is why all of our clients can say they exceed government cyber security certification requirements."
It might be argued that _any_ cyberattack causes material economic harm, successful or otherwise. Even the threat of such is sufficient to cause companies to spend on insurance, increasing the price of their products, and significantly, _not_ reducing the damage when an attack succeeds. It may be that any mitigation insisted on by the insurer is a benefit, but does that reduce the risk of costs long term?
JLR are an Indian company, owned by Tata. The only costs were the incidental ones (any local parts of the supply chain) and a bit less tax paid.
Hardly anything of any size in the UK is British owned. Except when it loses so much money it has to be nationalised and run at a loss for political reasons, like British Steel. The new EU tariffs may see the British steel industry become the modern equivalent of British Leyland.
I wonder how many checks the insurers of these companies did before offering them an insurance policy. They might want to improve that process.
Nonsense
The business activity occured in the UK and counted as part of UK GDP. The same with any (eg) car manufacturer whether in Swindon or Tyneside or elsewhere in the UK.
Profits not reivested in the existing business might count against UK trade balances, and in this case losses that have been supported by funds from overseas will actually count towards them!
Pedant alert!
"So we should expect a dip in GDP for Slovakia then as well?"
Yes. I mean, any negative impact on any part of a nation's economic activity is going to have some impact. Even if it's just my greetings card company selling 1 card a day that can't trade for a day because I've got a cold. Assuming that the BoE uses enough precision in its numbers, any impact, however small, can contribute.
The point is, how much of an impact did the JLR attack really have? The MPC's own 79 page report doesn't quantify it, just saying that the growth figures "reflect ... disruption linked to the [JLR] cyberattack".
Pedantic rant over.
@bootlesshacker
"Whatever your view on political policy or competency, falling back to casual misogyny in your argument, instead of explaining the rationale behind your thoughts reveals your true motives. Grow up."
I am guessing you are not from the UK. She lied on her work history. Nothing to do with misogyny, everything to do with her being caught out lying. She is crap at her job, nothing to do with genitalia.
@bootlesshacker
"You're incorrect. I am from the UK, but if I critique someone I call out specifically why"
I am surprised you are from the UK and dont know the "Rachel from accounts" thing, which has nothing to do with her gender (note I didnt mention her gender, YOU did in your reply). Just to help you-
https://www.google.com/search?client=firefox-b-lm&channel=entpr&q=rachel+from+accounts
"If your criticism is that she lied on her CV, then start with that."
I did. YOU are the one claiming gender. I used the common joke about her lies on her CV. Something that is very common knowledge in the UK hence my surprise at your complaint.
It's genuinely quite sad if you don't understand the misogyny behind your "joke" or the fact that you think not mentioning gender changes this. I pitty you.
"I am surprised you are from the UK and dont know the "Rachel from accounts" thing" - not agreeing with your comment is not the same as "dont know". I'm well aware of this comment.
@bootlesshacker
"It's genuinely quite sad if you don't understand the misogyny behind your "joke" or the fact that you think not mentioning gender changes this. I pitty you."
Normally I would write this off as some sort of trolling but you do have a name so I will entertain this a little longer. You seem to prove the saying of 'if you go looking for something you will find it'. At what point does my original comment mention gender? The only way to infer a gender being from the name Rachel.
The joke is about her lying on her cv. Do you accept she lied on her cv? Do you realise thats what she did? Would you feel better if I called her Rachel from the helpdesk?
The bit you should explain is which part of my comment you FEEL is misogynist because the comment doesnt say anything of the sort. Are YOU thinking it is misogynist as if accounting is a womans job? Are YOU thinking it is misogynist because in YOUR mind lying on a cv is a woman thing? Are YOU thinking it is misogynist because you dont like I poked fun at the chancellor? Are YOU thinking it is misogynist because misogyny is in the room right now talking to you?
Seriously I would love to know where you get the idea from if you would care to share.
"- not agreeing with your comment is not the same as "dont know". I'm well aware of this comment."
Sorry for the source-
In 2006, Reeves moved to Leeds to work for the retail arm of HBOS.[14][15] In 2024, due to criticism of Reeves saying she had worked as an economist at HBOS, her LinkedIn CV was changed, and her role at the bank was updated to "Retail Banking".[11][16] The Times reported her actual role was "running a customer relations department dealing with complaints and mortgage retention".[11] The report led to the media and opposition politicians nicknaming her "Rachel from accounts".[17][18] - https://en.wikipedia.org/wiki/Rachel_Reeves
If you are aware then how are you so wrong/confused?
@bootlesshacker
"I'm not going to explain why it's misogynistic. Maybe ask a woman in your life, who can use crayons to help explain it if that makes it a little easier for you."
As I thought you have nothing. No thought, no clue, no explanation. Get a woman in your life, she may be able to help you, but make it a therapist
JLR is owned by Tata. It's IT is run in-house by TCS. TCS is owned by Tata.
As own goals go, it's been pretty impressive.
Unless of course you own a failing car maker, making cars in a country with very high labour costs, in a continent that has the most competitive car market in the world, a continent with a massive oversupply of both car production and car plants, along with a car brand who's relaunch didn't just flatline, its gone negative.
Then it might just be a convenient way to restructure your business, make mass redundancies in the UK, perhaps even liquidate the UK business, then move car making to cheaper countries, perhaps like India, and retire a dead car brand.
And blame it on a 'cyberattack'.
The Bank of England just blamed GDP slowdown on a cyberattack at Jaguar Land Rover - as if it were a hurricane. Not a word about how JLR, like half of British industry, gutted its in-house IT and outsourced everything to the lowest bidder. Not a whisper about systemic dependency on offshore contractors, insecure supply chains, or leadership asleep at the wheel.
Instead, we get a sermon about “making themselves as hard a target as possible”. Translation: we’ll blame the victim, but never the business model that made the breach inevitable.
When a single company’s outsourcing strategy can shave points off national GDP, that’s not a cyber problem - that’s a governance failure. And if the BoE can’t say that aloud, then it’s either captured or complicit.
JLR Breach Breakdown: Analysis of the JLR Hack and Lessons Learned
“JLR Cyberattack: What went wrong & how it could have been prevented”
"The Government is backing Jaguar Land Rover (JLR) with a loan guarantee expected to unlock £1.5 billion to support its supply chain."
The word 'expected' is carrying a awful lot of load in that sentence.
If JLR take any of it up, I can well imagine that about the same proportion of the money will actually reach the suppliers as the proportion that reached the customers/suppliers from the bail-out money that the Government directed to the banking industry not many years ago.
.........."security theatre"...............
JLR implemented "total systems integration" across factories and suppliers.......................
.................and then whines about a cyberattack..............
.................and asks the taxpayer to underwrite a $1.5 BILLION pound loan.
Yup....."theatre"......especially when the taxpayer gets to foot the bill!
Cui bono?..........I ask myself......
My reading of the comments is that most of us work for enterprises that won't get a government bailout if we get compromised.
There's a strong suggestion that JLR cut the same corners as many others, but are now getting away with it simply because they are big. Perhaps that's fair, since perhaps they were targeted because they were big, but perhaps not. Perhaps some rotten managers are just getting away with it while the actual company is still a bit screwed
And perhaps that's a bad example to be setting the rest of the economy.
(Not my down vote, btw. I expect you are right that hardly anyone is properly prepared.)
Bank of England says JLR's cyberattack contributed to UK's unexpectedly slower GDP growth
Oh FFS ..... they would say that, wouldn't they.
They don't do good news, do they, .... and never have done, for they haven't a clue about what to do to effectively generate permanent sustainable growth as in facilitating how it is all to be done. Never have had and until the secret is presented to them, never ever will have.
And the very real and very personal danger that they would surely face .... should ever such a secret/sauce/source/code be freely shared and made universally known ..... is the justifiable wrath of baying public mobs should they ignore and try to deny the secret and its application.
And that is where both they [Bank of England] and the global fiat currency banking system is currently at ‽
And it appears that a group of failed/repurposed/retired national intelligence chiefs are also into retrying to man, commandeer and pilot the executive bridge of a sinking ship and titanic enterprise of loose lips.
A group of former British spy chiefs have launched a company designed to protect corporate secrets from being read by artificial intelligence... Sir Jeremy Fleming, who ran the Government Communications Headquarters, is helping to set up AI Score, a company aiming to prevent sensitive data from being leaked ..... New firm aims to prevent sensitive data from being leaked amid growing fears surrounding chatbots.... https://www.telegraph.co.uk/business/2025/11/08/spy-chiefs-launch-ai-company-to-protect-corporate-secrets/
One would have thought that they at least would know there be consequences and accountability to Slow Horses for being responsible for the flogging of dead horses/prolonging the charade in denial of Inevitable Radical Reinventions/Alien Interventions/Artilectual Interruptions ...... with Second Coming type events likely practical and virtually prone to manifest its necessary materiel and happen everywhere ‽ :-)
Are humans not able to continually learn and be taught not to repeat harmful and self-defeating mistakes and move everything on and everyone upward and outwards? Are they so retarded?
And if the present answers to those questions are a resounding and unfortunate yes, then are you a deadly exponentially growing existential threat to yourselves .... and it is gravely to be regarded and best entirely avoided at whatever exorbitant costs are required.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
