When Jaguar Land Rover’s (JLR) production lines came to a halt on August 31, 2025, it signaled one of the most severe cyber attacks in automotive history.
When Jaguar Land Rover’s (JLR) production lines came to a halt on August 31, 2025, it signaled one of the most severe cyber attacks in automotive history. Despite investing over £800 million in cybersecurity and IT infrastructure, the company faced a ransomware assault that cost nearly £50 million per week, threatening 200,000 supply chain jobs. Just weeks later, a similar crisis struck Collins Aerospace, when a ransomware attack crippled its MUSE check-in software, disrupting major European airports like Heathrow, Berlin, Brussels, and Dublin.
These back-to-back breaches exposed a disturbing truth: even corporations with vast cybersecurity budgets and advanced global partners are not immune. If organizations like JLR and Collins can be breached, what hope do smaller enterprises have?
The Illusion of Complete Protection
The first lesson is unsettling—enterprise-grade solutions don’t guarantee immunity. Both companies used globally reputed cybersecurity vendors and had major investments in protection. Yet, both were breached. The reason isn’t failed technology; it’s human and process vulnerabilities.
Reports suggest JLR’s attackers gained access through stolen credentials—likely via social engineering, a hallmark of the Scattered Spider group. No firewall or antivirus can stop an intruder using legitimate credentials. Similarly, Collins Aerospace was infiltrated by the HardBit ransomware, which experts describe as “basic.” The simplicity of the malware was overshadowed by the attackers’ precision in credential theft and lateral movement.
Organizations often treat cybersecurity as a technology problem, but it is deeply human in nature. Phishing emails, fake IT requests, and social engineering bypass even the most sophisticated systems. Until security architecture is designed around human imperfection, breaches will continue to succeed.
The Supply Chain Multiplier Effect
The JLR and Collins incidents also revealed how cyber attacks cascade across entire ecosystems. When JLR stopped production, hundreds of smaller manufacturers faced bankruptcy. Similarly, when Collins Aerospace’s systems went offline, airlines and airports across Europe were forced into manual operations, grounding flights and stranding passengers.
This demonstrates how interconnected modern enterprises are. Supply chain cybersecurity is rarely prioritized—many organizations focus only on financial or operational risks. Yet, your weakest partner defines your true security posture. Each link in the supply chain is both a potential entry point and a vulnerability multiplier.
What Extensive Investment Misses
Despite enormous cybersecurity spending, both organizations failed to prevent catastrophe. This exposes a key problem—misaligned priorities in cybersecurity investments.
Most funds go toward detection and prevention tools rather than:
Human-centric security design: Most security solutions assume perfectly trained, always-vigilant users. They don’t account for the reality that humans make mistakes, especially under pressure or when facing sophisticated social engineering. When an attacker impersonates a help desk technician or creates urgency around a “critical security update,” even well-trained employees can make wrong decisions.
Continuous readiness versus periodic audits: Many organizations treat security assessments as annual or quarterly exercises. They pass audits, check compliance boxes, and assume they’re protected. But attackers don’t work on quarterly cycles. They’re probing defenses constantly, looking for the brief window when a patch hasn’t been applied, when an employee is having a bad day, or when a new system is introduced without adequate security review.
Incident response capabilities: Detection is only valuable if you can respond effectively. Both JLR and Collins Aerospace had to completely shut down systems to contain the attacks—a last resort that caused massive disruption. Better incident response capabilities might have enabled more surgical containment, isolating affected systems without paralyzing entire operations.
Long-term behavioral monitoring: Advanced persistent threats don’t announce themselves. They unfold over weeks or months, with attackers taking small, seemingly innocuous actions that build toward larger objectives. Security systems with short-term memory miss these patterns because each event looks normal. Only by maintaining long-term context can you connect the dots.
The Attribution Challenge: Learning from Past Breaches
Collins Aerospace’s second major breach, only two years after being attacked by the BianLian ransomware group in 2023, reveals another crucial gap — insufficient learning from past incidents.
Attackers often spend weeks conducting reconnaissance before launching an attack — mapping networks, studying configurations, and identifying weak points. Even after a breach is “resolved,” attackers may leave hidden backdoors or sell the intelligence to other groups.
This means incident response can’t stop at fixing immediate vulnerabilities. Organizations must ask:
- What information did attackers gain about our systems?
- Did they leave behind covert access mechanisms?
- What new vulnerabilities might now exist?
Without comprehensive forensic investigation, many organizations move forward without realizing they remain compromised. In the Collins case, remnants from the 2023 attack may have facilitated the 2025 breach — a stark reminder that cyber attacks are rarely one-off events.
Practical Steps Organizations Should Take
So what should organizations learn from these high-profile incidents? Here are some practical steps:
- Assume Compromise: Adopt the mindset that breaches are inevitable. Build architecture that minimizes damage when attackers get in — using micro-segmentation, zero-trust access, and continuous authentication.
2. Test Incident Response Regularly: Don’t wait for a crisis to test your response plan. Conduct realistic simulations that test not only technology but also people and decision-making. Treat it like a fire drill — frequent and practical.
3. Strengthen Supply-Chain Security: Demand transparency and accountability from all third-party partners. Go beyond compliance certificates to understand their real-world security posture, detection speed, and containment processes.
4. Design for Human Error: Build systems that reduce the impact of inevitable mistakes. Features like message-recall delays, multi-step approvals for sensitive actions, and contextual warnings can prevent simple human errors from turning into major incidents.
5. Move from Alert-Driven to Risk-Driven Security: Not all alerts carry equal importance. Focus on the business impact of each event, not just its technical severity. Prioritize threats that can cause tangible damage.
6. Adopt Long-Term Behavioral Analytics: Cyber threats often develop slowly. Systems capable of correlating unusual patterns over long periods are more likely to detect sophisticated intrusions.
The Role of Security Vendors and Solutions
These incidents should also serve as a wake-up call for the cybersecurity industry itself. If even well-resourced enterprises with leading vendors can be compromised, there’s a need to rethink how solutions are designed and integrated.
Too many tools are built for ideal conditions — assuming organizations have perfectly trained users and 24/7 expert monitoring. The reality is far more complex. Security solutions must adapt to imperfect, high-pressure environments with overworked teams, limited expertise, and unpredictable human behavior.
Equally important is integration. Large enterprises often deploy multiple, disconnected security products. Attackers exploit the gaps between these tools. Unified platforms that provide centralized visibility, analytics, and coordinated response are essential for modern defense.
Moving Forward
The cybersecurity industry often treats major breaches as anomalies — isolated cases of oversight or negligence. But when well-funded, highly compliant organizations suffer crippling attacks, it’s time for deeper reflection.
The truth is that cybersecurity isn’t a destination achieved by certifications or spending. It’s a continuous process of learning, adaptation, and vigilance. Attackers evolve constantly, refining their tactics. Defenders must evolve faster.
The real take away from the JLR and Collins Aerospace attacks isn’t that they failed — it’s that no one is immune. Even the most secure organizations must accept that resilience, not perfection, is the goal.
The critical question every organization should now ask isn’t “How did this happen to them?” but “What are we doing to ensure it doesn’t happen to us?” And for many, the honest answer remains — not enough.