In 2025, Jaguar Land Rover (JLR) faced an unprecedented cyberattack, marking the most severe incident in British history, causing significant losses in revenue, production halts, and supply chain disruptions. This massive disruption was due not solely to the attack itself but to how JLR's systems were designed—highly efficient yet lacking adequate failure readiness.
The cyberattack led to a widespread shutdown of JLR’s IT environment, affecting operations globally, including the UK, Slovakia, Brazil, and India, disrupting thousands of jobs and supplier processes. The financial impacts were severe, causing JLR to lose around £50 million weekly and the UK's economic impact was estimated at £1.9 billion. With more than 5,000 businesses affected, the UK government intervened with a £1.5 billion loan guarantee to stabilize the supply chain.
A critical factor was JLR's integrated and tightly coupled systems, which, while optimized for normal operational efficiency, lacked the necessary features to isolate affected systems during an attack. As a result, when systems were breached, JLR's only option was a complete shutdown. The organization’s reliance on shared enterprise platforms and third-party services further exacerbated this issue, limiting the ability to mitigate disruptions independently.
This incident underscores a broader issue in digitally integrated industries: focusing predominantly on performance—such as cost reduction, throughput increase, and global scaling—often overlooks critical concerns about system resilience and operational flexibility. Questions about system trust, isolation, decision-making centralization, and expanded attack surfaces tend to be left unanswered until a crisis forces these considerations to the forefront.
In JLR's case, the cyberattack utilized common techniques like social engineering and credential misuse. However, the deep integration of its systems, aimed at efficiency and competitiveness, proved a liability under stress. Once trust in the system was compromised, a binary choice emerged: trust the system in its entirety or shut it down. This lack of flexibility was not merely an oversight but an inherent consequence of their operating model, designed more for performance than failure resilience.
For ISACA practitioners, this incident offers essential lessons on governance and system design. It emphasizes the importance of considering efficiency trade-offs at the design stage, defining resilience goals and treating isolation as a crucial governance factor. It further underscores that understanding the recovery dependence on third parties, aligning discussions on failure behaviors with performance goals and testing response plans for worst-case scenarios are crucial steps toward building more robust systems.
Ultimately, the takeaway for practitioners is clear: designing systems not just for success, but also for failure, is vital. Governance models must focus on how systems behave under stress, ensuring all trade-offs are visible and well-considered.
ISACA members can read Mary Carmichael’s full ISACA Journal Volume 2 article on this topic here.