Bank of England says JLR's cyberattack contributed to UK's unexpectedly slower GDP growth
- Reference: 1762515858
- News link: https://www.theregister.co.uk/2025/11/07/bank_of_england_says_jlrs/
- Source link:
We've not had anything like this before, where the company has not made any cars for a month
In the [1]announcement on Thursday, the BoE - which held interest rates at 4 percent - said the UK's headline GDP grew by a projected 0.2 percent in calendar Q3, a slight fall compared to the 0.3 percent predicted in the bank's August Q2 report.
Weaker exports to the US, plus JLR's cyberattack, which was so damaging that the government had to step in and [2]offer financial support , were the two reasons given by the BoE for this slower growth.
This is thought to be the first case in which a cyberattack has caused material economic and fiscal harm to the UK.
According to the most [3]recent report from the Office for Budget Responsibility (OBR), dated 2021, while cyberattacks are a growing threat to Britain, none had caused sufficient disruption to adversely impact the entire economy.
[4]
The [5]Cyber Monitoring Centre (CMC), which categorizes the most impactful cyberattacks by severity, said in late October that the JLR attack was deemed a [6]Category 3 systemic event , which could cost the local economy up to £2.1 billion ($2.75 billion).
[7]
[8]
Economists previously estimated the harm to JLR alone could be north of £2 billion in lost revenues.
Not only did the attack have a devastating consequence for JLR's production, with its major plants across the country [9]shutting down for several weeks , but the impact was [10]felt throughout its extensive supply chain – a factor that influenced the government's rare financial intervention.
[11]
"It's one of the worst crises the company has ever faced," said David Bailey, professor of business economics at the University of Birmingham.
"We've seen it get through the global financial crisis, through COVID, through the semiconductor crisis, but we've not had anything like this before, where the company has not made any cars for a month."
JLR's cyber-instigated shutdown in September followed a rough few months for UK businesses, which were battered by major cyberattacks over the summer.
[12]
Most notable of these were the incidents at British retail giants M&S, Co-op, and Harrods. All of these attacks were linked to Scattered Spider, but this has yet to be publicly confirmed by officials, who [13]arrested and later bailed four in connection with the attacks in July.
Illustrating the damage cyberattacks are routinely inflicting on UK companies of late, M&S this week [14]forecast clean-up costs of £136 million ($178 million).
Much of this was covered by the retailer's £100 million ($131 million) maximum claim on its cyber insurance policy.
The £136 million pertained only to the incident response and cleanup expenses related to the attack itself, not the wider disruption to trade as online sales were closed, including Click & Collect services. Profits in the first half of this year tumbled 55.4 percent.
In its May 2025 profit and loss accounts, M&S warned that cyber-related costs could run up to £300 million ($393 million) by year-end.
The National Cyber Security Centre (NCSC) said last month the number of nationally significant cyberattacks affecting UK organizations had skyrocketed in the year to September, up to 204 from 89 the previous year.
GCHQ's cyber arm demanded that organizations take action to shore up their defenses in its [15]annual review , noting a lack of urgency despite high-profile cybercriminals increasingly targeting the country.
NCSC chief exec Richard Horne said: "Cybersecurity is now a matter of business survival and national resilience. With over half the incidents handled by the NCSC deemed to be nationally significant, and a 50 percent rise in highly significant attacks compared to last year, our collective exposure to serious impacts is growing at an alarming pace.
"The best way to defend against these attacks is for organizations to make themselves as hard a target as possible. That demands urgency from every business leader: hesitation is a vulnerability, and the future of their business depends on the action they take today. The time to act is now." ®
Get our [16]Tech Resources
[1] https://www.bankofengland.co.uk/monetary-policy-report/2025/november-2025
[2] https://www.theregister.com/2025/09/29/jlr_government_loan/
[3] https://obr.uk/box/the-fiscal-risks-posed-by-cyberattacks/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aQ4lpiQViTQoRAj5W4UupwAAAEc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://www.theregister.com/2025/02/07/uk_cyber_monitoring_centre/
[6] https://www.theregister.com/2025/10/22/jaguar_lander_rover_cost/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aQ4lpiQViTQoRAj5W4UupwAAAEc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aQ4lpiQViTQoRAj5W4UupwAAAEc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/10/06/jlr_phased_production/
[10] https://www.theregister.com/2025/09/23/jaguar_landrover_shutdown_extended/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aQ4lpiQViTQoRAj5W4UupwAAAEc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aQ4lpiQViTQoRAj5W4UupwAAAEc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://www.theregister.com/2025/07/10/nca_arrests_four_in_connection/
[14] https://www.theregister.com/2025/11/05/ms_pegs_cyberattack_cleanup_costs/
[15] https://www.theregister.com/2025/10/14/ncsc_uk_cyberattack_surge/
[16] https://whitepapers.theregister.com/
Re: So now we know that cyberattacks cost ...
Agreed. Security should be baked in from the beginning. Unfortunately it always seems to be bolted on after the fact. This is suboptimal and leaky as fuck. Doing things right costs money up front, not doing it right costs a fuck tonne of nightmarish horror down the line. How many times do we see this? When will it change?
Re: So now we know that cyberattacks cost ...
"When will it change?"
By now it should be dawning on boards and, I hope, fund managers, that insurance isn't really going to cover the reputational damage and general chaos that they've seen the Co-op, M&S & JLR experiencing. They should be asking their IT depts what they're going to do about hardening systems, building in resilience etc. (BTW have any commentards been on the receiving end of such questions?). I do fear, however, that some are going to simply reply "More Microsoft" if comments here are anything to go by.
Re: So now we know that cyberattacks cost ...
They should be asking their IT depts what they're going to do funding their IT depts so that they can finally do something about hardening systems, building in resilience etc.
FTFY
Re: So now we know that cyberattacks cost ...
Lots of corporations do put funds in to the problem.
They purchase something called "cyber insurance".
As long as they have a cyber security essentials certificate to go with it they are all good and can tell everyone they are fully protected from cyber threats.
At a recent employer we had a little "ritual" whenever a client needed to renew their cyber security essentials certification. The relavant manager would call me to let off some steam by ranting about the latest bullshit questions from the assessor. When they were done I would ask "Did they add a requirement to encrypt laptop hard drives yet"? They would then answer: "No, which is why all of our clients can say they exceed government cyber security certification requirements."
first case in which a cyberattack has caused material economic and fiscal harm to the UK
It might be argued that _any_ cyberattack causes material economic harm, successful or otherwise. Even the threat of such is sufficient to cause companies to spend on insurance, increasing the price of their products, and significantly, _not_ reducing the damage when an attack succeeds. It may be that any mitigation insisted on by the insurer is a benefit, but does that reduce the risk of costs long term?
Dodgy figures.
JLR are an Indian company, owned by Tata. The only costs were the incidental ones (any local parts of the supply chain) and a bit less tax paid.
Hardly anything of any size in the UK is British owned. Except when it loses so much money it has to be nationalised and run at a loss for political reasons, like British Steel. The new EU tariffs may see the British steel industry become the modern equivalent of British Leyland.
I wonder how many checks the insurers of these companies did before offering them an insurance policy. They might want to improve that process.
Re: Dodgy figures.
Nonsense
The business activity occured in the UK and counted as part of UK GDP. The same with any (eg) car manufacturer whether in Swindon or Tyneside or elsewhere in the UK.
Profits not reivested in the existing business might count against UK trade balances, and in this case losses that have been supported by funds from overseas will actually count towards them!
Re: Dodgy figures.
So we should expect a dip in GDP for Slovakia then as well? As JLR products built there for the UK market were also interrupted.
Re: Dodgy figures.
"The same with any (eg) car manufacturer whether in Swindon".
Keep up at the back!
There is no car manufacturing in Swindon, and hasn't been for at least 4 years.
Try Derby or Oxford.
Hmm
Are they hoping it has nothing to do with Rachel from accounts?
TCS. Totally Cocked-up Systems.
JLR is owned by Tata. It's IT is run in-house by TCS. TCS is owned by Tata.
As own goals go, it's been pretty impressive.
Unless of course you own a failing car maker, making cars in a country with very high labour costs, in a continent that has the most competitive car market in the world, a continent with a massive oversupply of both car production and car plants, along with a car brand who's relaunch didn't just flatline, its gone negative.
Then it might just be a convenient way to restructure your business, make mass redundancies in the UK, perhaps even liquidate the UK business, then move car making to cheaper countries, perhaps like India, and retire a dead car brand.
And blame it on a 'cyberattack'.
So now we know that cyberattacks cost ...
(as if we did not know that already) so when are government and corporations going to put real effort and funds into preventing it in the first place ?
100% prevention is a pipe dream but we can reduce the number of attacks and/or their impact.
The trouble is that it is cost today for probable benefits tomorrow - something that short term attitudes by politicians and corporate bean counters are averse to.