Two Breaches, One Pattern: What the JLR and M&S Cyber Attacks Tell Us About Where We’re Headed
Over the past 18 months, two of the UK’s most recognisable brands, Marks & Spencer and Jaguar Land Rover have made headlines for serious cyber incidents.
In both cases, the public was told little. No detailed technical disclosures. No flashy zero-days. No dramatic ransom notes leaked on Telegram. But dig into what is available, and something bigger emerges, a pattern that reflects the state of cybersecurity in 2025.
Let’s break it down.
M&S: Credentials, AD Compromise, and Social Engineering
The Marks & Spencer breach, revealed in mid-2024, began with a familiar scenario: compromised third-party credentials. Specifically, from staff at a major outsourcing firm, Tata Consultancy Services (TCS).
From there, attackers reportedly:
- Gained access to internal systems
- Stole the Active Directory database (NTDS.dit)
- Leveraged social engineering against helpdesk staff to escalate privileges
The tactics are textbook Scattered Spider, a threat actor known for abusing identity, bypassing MFA, and exploiting support processes rather than software flaws.
It’s not the kind of breach that triggers flashing red lights on a firewall dashboard. But it’s precisely the kind that causes quiet, long-lasting damage.
JLR: An Unfolding Incident, Familiar Playbook
Fast forward to August–September 2025, when Jaguar Land Rover confirmed a cyber incident that caused widespread disruption to operations, including dealerships and parts of its supply chain.
Though the forensic investigation is still ongoing, early reporting suggests:
- A credential-based attack was likely
- Potential exposure via a legacy Atlassian Jira login
- Data exfiltration confirmed, but no full technical breakdown yet
Again, the names being floated, Scattered Spider, ShinyHunters, UNC3944, all point to threat actors who specialise in identity abuse and social engineering over brute-force malware.
The Common Threads
While the two incidents are months apart, they share the same DNA:
– Identity is the new perimeter
Both breaches hinge on compromised credentials and unauthorised access, not technical exploits.
– The helpdesk is an attack surface
Support staff are now frequent targets. Attackers don’t always need to break in if they can ask nicely.
– Third parties create hidden risk
In both cases, outsiders played a role, whether directly (TCS credentials at M&S) or indirectly (exposed tools, stale access).
– Monitoring isn’t enough without context
You can log every login attempt, but if you’re not analysing where it’s coming from, who it’s linked to, or what else it triggered, you’re still blind.
What These Breaches Really Predict
The lesson here isn’t “be like M&S” or “avoid JLR’s mistake”. It’s that modern cyber risk is less about code and more about trust:
- Trust in users to keep their credentials safe
- Trust in suppliers to protect their access
- Trust in support teams not to be manipulated
- Trust in legacy systems to not leave doors open
These attacks didn’t exploit technology so much as assumptions. That your helpdesk can’t be tricked. That your cloud accounts are secure. That your old Atlassian login has been disabled.
Final Thoughts
If you’re in cybersecurity, don’t wait for official reports to validate what’s already visible:
- Identity is under siege
- Support processes are targets
- Supply chain credentials are liabilities
- Attackers move faster than policies
Marks & Spencer and Jaguar Land Rover are just the latest examples. But they won’t be the last.
If your business assumes you’re “too small” or “not on anyone’s radar,” think again.
Marks & Spencer and Jaguar Land Rover have dedicated teams, strong brands, and complex security, and they were still compromised.
Cyber attackers don’t care about size, they care about access. If you have credentials, suppliers, or users, you’re in the game.
