The JLR and Collins Aerospace Disasters: When Britain's Critical Infrastructure Becomes a Criminal Playground

The last few weeks have delivered a masterclass in how not to secure critical infrastructure. While you were probably focused on getting through your daily business operations, criminal gangs systematically destroyed two of Britain's most important industrial sectors. Jaguar Land Rover suffered a devastating ransomware attack that shut down production for over three weeks, costing £72 million per day in lost sales. Meanwhile, US aerospace giant Collins Aerospace's systems were compromised, bringing chaos to major European airports, including Heathrow, Brussels, and Berlin.

These aren't isolated incidents. They're symptoms of a systemic failure that has been accelerating throughout 2025, following the same playbook that destroyed M&S, Co-op, the BHA, and numerous other organisations we've analysed in previous articles. The pattern is now undeniable: Britain's critical infrastructure has become vulnerable to both domestic security failures and international supply chain compromises, rendering essential services vulnerable to predictable attack vectors.

The JLR Catastrophe: When £38 Billion Revenue Means Nothing Against Basic Social Engineering

Jaguar Land Rover, with annual revenue of over £29 billion and directly employing 33,000 people in the UK, while supporting a further 104,000 jobs in the supply chain, was brought to its knees by a group calling itself "Scattered Lapsus Hunters" starting August 31, 2025. Let that sink in for a moment. One of Britain's flagship manufacturers, producing over 400,000 vehicles annually, was completely paralysed by the same criminal network we analysed in our DragonForce parliamentary hearing coverage.

The attack methodology was depressingly familiar. The group combines elements from Scattered Spider, Lapsus$, and ShinyHunters – the same affiliates that devastated M&S and Co-op earlier this year. They used social engineering to compromise credentials, then deployed ransomware across JLR's systems, forcing a complete production shutdown.

Here's what makes this particularly infuriating: JLR had invested £800 million in cybersecurity and IT support through a contract with Tata Consultancy Services. The same TCS that we identified as the weak link in the M&S attacks. The exact outsourcing model that created the security failures we warned about in our technical debt analysis. The same fundamental misunderstanding persists: cybersecurity is viewed as an IT problem rather than a business resilience issue.

The economic impact has been catastrophic. Every day of disruption costs JLR £72 million in sales, with the company's production shutdown extending well beyond the initial target date of September 24. Suppliers have been warned that the disruption could last into November. JLR's three UK plants typically produce around 1,000 vehicles daily, and suppliers across Europe have been forced to scale back or pause production.

One smaller JLR supplier has already laid off 40 people, nearly half its workforce, while hundreds more workers at major suppliers have been told to stay home. This is precisely the supply chain cascade failure we predicted in our analysis of the Ingram Micro disaster. What makes this even more concerning is that JLR has reportedly told the government that this cyberattack is more disruptive and complex than the hacks that hit M&S and Co-op earlier this year, warning that some suppliers are unlikely to survive without taxpayer support.

Collins Aerospace: When European Aviation Depends on American Single Points of Failure

Just when you thought the UK couldn't demonstrate any more spectacular cybersecurity incompetence, US aerospace giant Collins Aerospace got hit on September 19-20, 2025, in what the European Union's cybersecurity agency ENISA has now confirmed was a ransomware attack, bringing down check-in and boarding systems at Heathrow, Brussels, Berlin, and other major European airports.

This attack perfectly illustrates the systemic risk we've been highlighting in our coverage of shadow IT and supply chains, but with an international twist. Collins Aerospace, a subsidiary of RTX Corporation (formerly Raytheon Technologies), provides check-in and boarding systems for multiple airlines across numerous airports globally, creating a transatlantic single point of failure that can disrupt aviation networks across continents.

The cybersecurity incident affected Collins' MUSE check-in and boarding software, forcing airports to revert to manual operations and triggering widespread delays and cancellations. Brussels Airport asked airlines to cancel half of Monday's scheduled departures because Collins failed to provide a secure, updated version of its software in time. The European Union's cybersecurity agency, ENISA, confirmed on Monday that this was indeed a ransomware attack targeting a third-party provider of Collins Aerospace.

The attack exposed the aviation industry's dangerous over-reliance on centralised third-party providers. Experts warn that attacks on the aviation sector have surged 600% from 2024 to 2025, highlighting the risks associated with efficiency-driven yet vulnerable models. This is the inevitable result of prioritising cost savings over security resilience, exactly the mentality we've criticised in our technical debt and MSP security failure analyses.

Latest Developments: The Ongoing Fallout

As of September 23, 2025, the situation remains in flux. Collins Aerospace has reportedly entered the "final stages" of deploying software updates to restore full functionality to its MUSE system, with disruptions at Berlin and Heathrow significantly reduced by Sunday. However, the ransomware confirmation by ENISA raises serious questions about whether Collins paid a ransom or recovered through other means.

Meanwhile, JLR's situation has worsened considerably. What started as an August 31 attack has stretched well beyond the September 24 restart date, with industry sources warning the disruption could last into November. The government is now facing severe pressure to implement emergency support measures as supply chain businesses are on the verge of collapse.

The Pattern Recognition Problem: Why Nobody Learns From Previous Disasters

What makes these attacks particularly maddening is that they follow the same pattern we've been documenting throughout 2025. Look at the methodology:

Social Engineering at Scale: Just like the M&S and Co-op attacks we covered in our DragonForce parliamentary hearing analysis, both JLR and Collins fell victim to sophisticated social engineering. These attacks succeeded because help desk staff lacked robust identity verification procedures, the same weakness that enabled the M&S breach.

Third-Party Provider Vulnerabilities: The proposed Cyber Security and Resilience Bill would have directly impacted Tata Consultancy Services, the managed service provider used by JLR, M&S, and Co-op. All three companies suffered breaches through the same outsourcing model we've been warning about.

Supply Chain Cascade Failures: The JLR attack mirrors the supply chain disruption we analysed in the Ingram Micro disaster, with suppliers across Europe forced to scale back production. The Collins attack demonstrates how international supply chain dependencies create vulnerabilities - European airports became collateral damage when an American aerospace company's systems were compromised.

Inadequate Government Response: The attack triggered an urgent debate in the House of Commons, with MPs drawing comparisons to recent cyber incidents at Marks & Spencer, the NHS, and the British Library. Yet we're still seeing the same fundamental vulnerabilities exploited repeatedly.

This is the cybersecurity equivalent of Groundhog Day, except that each iteration incurs hundreds of millions of dollars in economic damage.

The £48 Billion Question: Why Ingram Micro's Lessons Went Unheeded

The JLR and Collins attacks become even more frustrating when you remember that we had a perfect case study just two months earlier. In our coverage of the Ingram Micro ransomware disaster, we detailed exactly how the SafePay criminal group exploited VPN credentials to destroy a £48 billion global operation.

The attack vectors were identical:

• Compromised employee credentials

• VPN security failures

• Inadequate multi-factor authentication

• Help desk social engineering

Yet neither JLR nor Collins implemented the basic security controls we recommended. The technical picture suggests a ransomware operation targeting core IT assets, with attackers gaining access to sensitive infrastructure and raising the possibility of an IT-OT crossover. This is precisely the escalation pattern we predicted would follow from the Ingram Micro breach.

The Economics of Systemic Failure

Let's quantify the economic carnage from just these two attacks:

JLR Financial Impact:

• £72 million daily revenue losses during production shutdown (confirmed by multiple sources)

• Production shutdown starting September 1, initially extended to September 24, now potentially until November

• One supplier has already laid off 40 people (nearly half its workforce)

• Hundreds more workers at major suppliers told to stay home

• The government is facing calls for an emergency furlough scheme to prevent business failures

Collins Aerospace Disruption:

• ENISA-confirmed ransomware attack affecting MUSE software globally

• Flight delays and cancellations across Heathrow, Brussels, Berlin, and Dublin

• Brussels Airport forced to cancel half of Monday's departing flights

• Manual fallback operations cost millions in operational overhead

• Multiple departures and arrivals were cancelled across affected airports on Saturday alone

When you add these to our previous coverage of M&S (£300 million losses), the BHA breach, and the Ingram Micro disaster, we're looking at combined losses exceeding £2 billion from just the major incidents we've analysed this year.

This isn't sustainable. We're experiencing economic warfare through cybersecurity negligence, and British businesses are losing spectacularly.

The Technical Debt Reality Check

Both attacks perfectly validate the technical debt warnings we've been issuing throughout our coverage this year. Even JLR's £800 million investment in cybersecurity and IT infrastructure couldn't prevent basic social engineering attacks. This demonstrates exactly what we predicted in our M&S vs Co-op technical debt analysis: throwing money at the problem without addressing fundamental architectural weaknesses doesn't improve security.

The Collins attack illustrates the shadow IT problem we've extensively covered. Aviation systems depend on third-party providers like Collins for critical functions, creating invisible dependencies that become single points of failure. When Collins' MUSE software was compromised, it didn't matter how secure individual airports' systems were – the centralised dependency destroyed resilience across the entire network.

The MSP Security Theatre Continues

TCS, the managed service provider used by JLR, previously said it was investigating reports that its support staff had been socially engineered during the M&S attacks. The company subsequently denied its systems were "compromised," but failed to respond to requests about whether social engineering qualified as a compromise.

This is precisely the MSP security theatre we criticised in our Scattered Spider helpdesk analysis. MSPs like TCS market themselves as cybersecurity experts, yet consistently fail to implement basic identity verification procedures. They externalise risk to client organisations while avoiding accountability for security failures.

The result is a perverse incentive structure where MSPs profit from managing security while bearing none of the consequences when security fails. Until this changes, we'll continue to see the same social engineering attacks succeed repeatedly.

Government Response: Too Little, Too Late, Too Toothless

Chris McDonald, minister in the Department of Business and Trade, met with JLR to 'discuss their plans to resolve this issue and get production started again,' with government cyber experts supporting the company. Meanwhile, trade union Unite has called for a government furlough scheme similar to the COVID-19 scheme to protect the thousands of supply chain workers facing immediate job threats. This reactive approach perfectly encapsulates everything wrong with UK cybersecurity policy.

The government waits for a major economic disruption, then offers support after criminal gangs have already extracted hundreds of millions in damage. The proposed Cyber Security and Resilience Bill would have impacted companies like TCS, but legislation moves too slowly while attacks accelerate.

Meanwhile, Poland faces numerous cyberattacks daily and has raised its cybersecurity budget to €1 billion this year. They understand that cybersecurity is national defence. The UK treats it as an IT support issue.

The Attribution Shell Game

The hackers allegedly behind JLR claimed they disabled some infrastructure last week amid suspicion that law enforcement was drawing closer, though security experts warned the claims were likely a diversion. This demonstrates the sophisticated disinformation campaigns that now accompany major cyberattacks.

Criminal organisations are fragmenting while remaining collaborative, with members shifting between groups and sharing knowledge across operations. We're dealing with a constantly evolving threat landscape where traditional law enforcement approaches are inadequate.

Approximately 76% of victims ultimately pay ransoms, despite government guidance against making such payments. This creates a profitable feedback loop that funds increasingly sophisticated attacks.

The Supply Chain Vulnerability Crisis

Both attacks highlight the supply chain vulnerabilities we've been tracking throughout our coverage. Services provided by a single company represent a single point of failure, with attacks creating significant ripple effects across multiple sectors.

The automotive industry depends on just-in-time manufacturing and integrated supply chains. When JLR shuts down production, suppliers across Europe face immediate disruption. Similarly, when Collins' airport systems fail, airlines worldwide face operational chaos.

This interdependency isn't inherently bad, but it requires security resilience that is proportional to the systemic risk. Instead, we're seeing cost optimisation that externalises cybersecurity risk while concentrating operational dependencies.

What Actually Needs to Change (And Why It Won't Happen)

The solutions to prevent these attacks are embarrassingly simple, and we've detailed them repeatedly in our previous coverage:

Proper Multi-Factor Authentication: Hardware security keys for all administrative access. The technology costs £20 per user and takes 30 minutes to implement.

Help Desk Security Procedures: Formal identity verification is required for all access requests. Call-back verification using registered numbers. No exceptions for "urgent" requests.

Network Segmentation: Critical systems are isolated from administrative networks, such as basic firewall configuration, which is not rocket science.

Supply Chain Security: Vendor risk assessments, contractual security requirements, and regular security audits of third-party providers.

Incident Response Planning: Pre-authorised shutdown procedures, tested communication protocols, and business continuity plans that don't assume IT systems will be available.

The reason these controls aren't implemented is not due to technical capability or cost. It's organisational psychology and perverse incentives. Companies optimise for operational efficiency over security resilience until an attack forces recognition that efficiency without resilience is ultimately inefficient.

The Behavioural Economics of Cyber Negligence

Why do organisations consistently fail to implement basic security controls despite repeated examples of catastrophic breaches? Our coverage throughout 2025 suggests several psychological factors:

Optimism Bias: "It won't happen to us" despite statistical evidence suggesting it probably will.

Sunk Cost Fallacy: Continuing to rely on existing systems and providers despite evidence of their inadequacy.

Diffusion of Responsibility: MSPs manage security, so internal teams assume someone else is handling the problem.

Short-term Thinking: Security investments incur costs today for benefits that may never materialise if they're successful.

Complexity Aversion: Comprehensive security requires coordinating across technical, legal, and business functions, which many organisations find difficult.

These aren't IT problems. They're management failures that IT systems amplify.

The Coming Regulatory Reckoning

European Union Aviation Safety Agency officials are scrambling to respond, with calls for mandatory cyber audits and diversified IT architectures. Regulatory pressure is mounting as the economic consequences of cybersecurity failures become increasingly difficult to ignore.

Australia has mandated reporting of ransom payments, a model that could shed light on the true scale of attacks. Transparency requirements may force organisations to confront the reality of cybersecurity risk rather than hoping attacks remain private.

However, regulation alone won't solve the underlying problems. Compliance frameworks often become checkbox exercises that satisfy auditors while failing to improve security resilience.

The International Context: When European Infrastructure Depends on American Vendors

These attacks highlight a critical vulnerability in how European critical infrastructure depends on American technology providers. Collins Aerospace, despite being a US company, provides essential services to European airports, creating cross-border dependencies that amplify cybersecurity risk.

When Collins' systems were compromised, it didn't matter how secure individual European airports' systems were - the centralised American dependency destroyed resilience across the entire network. This demonstrates how cybersecurity failures cascade through integrated international economies, making British and European businesses vulnerable to attacks on American infrastructure providers they may not even realise they depend on.

Conclusion: The Recurring Nightmare That Could Have Been Prevented

The JLR and Collins Aerospace attacks represent everything we've been warning about throughout our 2025 coverage, and they're still ongoing. They validate our analysis of technical debt, supply chain vulnerabilities, MSP security failures, and the inadequacy of government response to systemic cybersecurity risk. As we publish this, JLR's factories remain shuttered with no clear restart date, suppliers are laying off workers, and the government is scrambling to prevent business failures through emergency support schemes.

Collins Aerospace has restored most functionality after what ENISA confirmed was a ransomware attack; however, the aviation industry now faces the uncomfortable reality that a single provider's compromise can simultaneously ground flights across multiple countries.

More frustrating is that both attacks were entirely preventable using controls we've detailed repeatedly. Both organisations had the resources, technology, and knowledge to implement adequate security measures. They chose not to, and criminal gangs exploited the predictable consequences.

Until businesses harden their identity systems, lock down integrations, and ensure they have a choice over their tech providers to avoid vendor lock-in, these cyberattacks will continue to occur. Attackers need patience. Defenders need urgency.

We're not lacking solutions. We're lacking the organisational will to implement them consistently before disasters force recognition of their necessity. The question isn't whether more attacks will succeed - it's whether British businesses will learn from these ongoing failures or continue to repeat them until cybersecurity negligence destroys their competitive advantage entirely.

The choice is simple: implement proper security controls now, or continue providing case studies for how not to protect critical infrastructure. Based on 2025's track record and the current situations at JLR and Collins Aerospace, we're not optimistic about which option most organizations will choose.