When Your Biggest Customer Gets Hacked: The £1.9 Billion Lesson No One’s Talking About

Industry Analysis
Written By Noel Bradford

Pull up a chair. Financial Accountant magazine just published my thoughts on the Jaguar Land Rover cyberattack, and I need to expand on something that keeps me awake at night.

The article covers the basics: JLR lost £1.9 billion, the Bank of England blamed it for slower UK growth, and small suppliers got destroyed in the aftermath. What I told Helena Vallely, the journalist who interviewed me, barely scratches the surface of the real danger facing UK small businesses.

Here’s what I didn’t have space to explain in detail.

The Double Vulnerability You’re Ignoring

Your business faces two completely different cyber risks, and most owners only worry about one.

Risk One: Someone hacks your systems directly. You get ransomware, lose customer data, spend six weeks rebuilding your network. That’s the threat everyone talks about.

Risk Two: Someone hacks your biggest customer. You don’t get breached at all, but you still lose everything.

That second risk killed more JLR suppliers than the first ever will.

After 40 years in this business, protecting everyone from Intel’s fabrication plants to Disney’s theme parks to the BBC’s broadcast infrastructure, I can tell you this: the attack you survive means nothing if your customer’s attack puts you under.

What Really Happened to JLR’s Supply Chain

Let me give you the numbers Financial Accountant couldn’t fit in.

JLR’s UK supply chain employs roughly 120,000 people across thousands of small and medium businesses. When JLR shut down production for six weeks, those suppliers didn’t just pause. They bled cash while their largest customer went dark.

One supplier, a firm I won’t name but know of through industry contacts, laid off 40 staff members. That’s half their workforce. Gone. Because JLR couldn’t place orders, couldn’t process invoices, couldn’t maintain the production cadence that kept their entire supply chain solvent.

The Cyber Monitoring Centre report estimates cascading losses through all tiers of suppliers. That’s corporate speak for “small businesses went bust because their anchor customer got hacked.”

I told Helena that a six-week disruption to your primary customer can mean insolvency. Let me be more specific.

If JLR represents 60% of your revenue, you’ve got maybe three weeks of cash reserves if you’re well-managed. Week four, you’re negotiating payment holidays with your landlord. Week five, you’re looking at redundancies. Week six, you’re meeting with insolvency practitioners.

You didn’t get hacked. You didn’t fail at cybersecurity. You just relied on a customer who did.

The Cyber Insurance Reality Check

Here’s where it gets worse. JLR had no cyber insurance. None. A £20 billion revenue company gambling that nothing bad would happen.

Marks & Spencer got hit four months earlier by the same threat actors, possibly using the same Tata Consultancy Services weakness. M&S had insurance. They recovered significant costs. JLR is eating the full £1.9 billion loss.

But here’s the bit that should terrify you: your cyber insurance won’t pay out when your customer gets hacked and stops buying from you.

Read that again. Your policy covers direct breaches. It doesn’t cover business interruption caused by someone else’s security failure.

I told Helena that cyber insurance for businesses with £1-5 million revenue typically costs £1,500 to £5,000 annually for £1 million coverage. That’s accurate. But the quote Financial Accountant published doesn’t explain what you’re actually buying.

What Cyber Insurance Actually Covers

Policies vary dramatically. Some barely cover breach notifications. Others include business interruption, ransom payments, legal fees, regulatory fines, forensic investigations, public relations support, and credit monitoring for affected customers.

What they don’t cover:

  • Nation-state attacks (often excluded)

  • War or terrorism-related incidents

  • Unpatched systems (if you ignored known vulnerabilities)

  • Prior knowledge (if you knew about a weakness and didn’t fix it)

  • Supply chain disruption (when your customer gets hit)

That last one is the killer. You pay for coverage, maintain good security, pass your Cyber Essentials certification. Then your biggest customer gets compromised, stops placing orders for two months, and your insurer tells you that’s not covered.

I’ve been in rooms at Intel where we discussed supplier financial stability. I’ve watched Disney evaluate vendor risk portfolios. I know how enterprise companies think about supply chain resilience. They assume you’ve got deeper reserves than you actually do.

Three Things You Can Do Right Now

Right, enough doom. Here’s what you do about this.

1. Map Your Customer Concentration Risk

Get a spreadsheet. List every customer. Calculate what percentage of revenue they represent. If any single customer accounts for more than 30% of your revenue, you have a concentration risk that could kill you.

Not “hurt you.” Kill you.

Now check their cybersecurity posture. You can’t audit their systems, but you can ask questions:

  • Do they have Cyber Essentials certification?

  • Who provides their IT support?

  • Do they have cyber insurance?

  • What’s their incident response plan?

If they laugh off your questions, that’s your answer. They’re vulnerable. Which means you’re vulnerable.

Start developing alternative customers now. Not next year. Now. Before your anchor customer becomes your anchor around your neck.

2. Negotiate Supply Chain Protection Into Contracts

I told Helena that many standard contracts shift all cyber risk to the customer. Let me show you what that actually looks like.

Standard contract language: “Supplier agrees to implement reasonable security measures to protect Customer data.”

That sounds fine until you realize “reasonable” is undefined, liability is unlimited, and you’re responsible for protecting yourself against threats originating from the customer’s network.

Better contract language: “Both parties agree to maintain Cyber Essentials Plus certification. Either party must notify the other within 24 hours of any security incident that may affect shared systems. Business interruption due to either party’s security failure will be governed by force majeure provisions.”

I learned this at Disney. Enterprise contracts include specific security requirements, shared liability models, and business continuity commitments. Small business contracts ignore all of this, then wonder why suppliers go bust when customers get breached.

Your solicitor won’t know to include this language because most solicitors don’t understand cyber risk. You need to tell them what to add.

3. Build a Two-Scenario Incident Response Plan

Most incident response plans assume you get breached. That’s Scenario One. You need Scenario Two: your biggest customer gets breached.

Scenario One: We Get Hacked

  • Who calls who

  • What systems get shut down

  • How we notify customers

  • Where offline backups are stored

  • How we rebuild operations

Scenario Two: Our Biggest Customer Gets Hacked

  • How long can we survive without their orders

  • Which costs can we cut immediately

  • What alternative customers can we activate

  • How we keep staff informed and maintain morale

  • What financial support we need to arrange in advance

That second scenario is the one no one prepares for. After watching the JLR supply chain collapse, it’s the one that matters most.

The Bit That Really Pisses Me Off

JLR had £6 billion in cash reserves. They got a £1.5 billion government loan guarantee. They’re recovering. They’ll survive this.

Their suppliers? The ones who did everything right, maintained proper security, passed their audits, followed best practices? They’re the ones who paid the price for JLR’s failure.

I left Fortune 500 security roles to work with small businesses precisely because of this nonsense. The enterprise world has resources, redundancy, insurance, government bailouts. Small businesses have Dave from IT, a limited budget, and faith that doing the right thing will protect them.

It won’t. Not when you’re one link in a supply chain where bigger companies make security decisions that determine whether you stay in business.

The Real Lesson From JLR

Financial Accountant quoted Paul Reynolds saying “cyber risk is business risk.” He’s right. But let me add the second half of that statement.

Cyber risk is business risk, and your business risk now includes everyone you do business with.

You can’t control whether your customers maintain proper security. You can’t audit their helpdesk processes. You can’t force them to buy cyber insurance or hire competent CISOs.

What you can control:

  • Your customer concentration

  • Your contract terms

  • Your financial reserves

  • Your response plans

  • Your risk awareness

The JLR attack won’t be the last time a major UK manufacturer gets compromised. The pattern is clear. Social engineering against outsourced helpdesk providers works. Attackers know it works. They’ll keep doing it until we fix the underlying problem.

Meanwhile, you need to survive in a world where your security doesn’t guarantee your safety.

That’s the lesson worth learning. Everything else is just noise.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Next

November 2025 Patch Tuesday: A Perfect Storm of Critical Vulnerabilities Demands Immediate Action