Real cyber attacks tell us more than theoretical threats ever could. They show us how attackers actually operate, where defences fail, and what happens when organisations aren't prepared.
Here are three recent incidents that illustrate different attack vectors, impacts, and lessons — all relevant to UK organisations.
1. Jaguar Land Rover: When Production Stops
In August 2025, British automotive giant Jaguar Land Rover suffered what became the most damaging cyber attack in British history. The attack brought production to a complete halt for several weeks, with estimated costs to the UK economy reaching £1.9 billion.
What happened:
- Attackers gained access to critical production systems
- Manufacturing operations were completely shut down
- The disruption cascaded through the supply chain
- Recovery took weeks, not days
Why it matters:
This wasn't just a data breach. It was an operational shutdown. The attack demonstrated that modern industrial systems are deeply interconnected — when one part fails, everything stops.
For UK organisations, the lesson is clear: cyber risk isn't just about data. It's about whether you can operate at all. Manufacturing, logistics, healthcare, and critical infrastructure all face the same reality: if your systems go down, your business stops.
Key takeaway: Operational resilience planning isn't optional. You need to know how you'd continue operating if critical systems were compromised.
2. British Library: When Ransomware Meets Refusal
In October 2023, the British Library was hit by a ransomware attack from the hacker group Rhysida. The attackers demanded 20 bitcoin (approximately £500,000 at the time). The library refused to pay.
What happened:
- Approximately 600GB of data was stolen and leaked online
- Library services were severely disrupted for months
- Recovery costs were estimated at £6–7 million
- The attack is considered one of the worst cyber incidents in British history
Why it matters:
The British Library's decision not to pay the ransom was principled, but it came at a significant cost. The recovery process took months and cost millions — far more than the original ransom demand.
This incident highlights a critical question every organisation must answer: What would we do if hit by ransomware? The answer isn't obvious. Paying ransoms is often illegal (especially to sanctioned groups), but recovery without paying can be expensive and slow.
Key takeaway: Your backup and recovery strategy determines your options. If you can restore quickly from tested backups, you have choices. If you can't, you may have none.
3. Global Telecommunications Hack: Supply Chain as Attack Vector
In August 2024, Chinese state-sponsored hackers infiltrated major telecommunications firms worldwide, including AT&T, Verizon, and T-Mobile. The attackers accessed metadata of millions of users, including high-profile political figures, and compromised systems used for lawful wiretapping.
What happened:
- Attackers targeted telecommunications infrastructure
- Metadata of millions of users was accessed
- Systems used for lawful surveillance were compromised
- The breach had national security implications
Why it matters:
This attack demonstrates that supply chain vulnerabilities affect everyone. When critical infrastructure providers are compromised, their customers — including governments and large enterprises — are exposed.
For UK organisations, this reinforces the importance of third-party risk management. You're only as secure as your weakest supplier. If your telecommunications provider, cloud provider, or critical software vendor is compromised, you're compromised.
Key takeaway: Assess your critical suppliers' cyber posture. Don't assume they have it covered. Ask for evidence. Include cyber expectations in contracts.
Common Patterns Across These Attacks
Looking at these incidents together, several patterns emerge:
1. Attackers Think in Opportunities, Not Sectors
These attacks targeted automotive manufacturing, cultural institutions, and telecommunications. The attackers didn't care about the sector — they cared about opportunity. Any organisation with valuable data, critical operations, or supply chain access is a potential target.
2. Impact Extends Far Beyond the Initial Breach
In each case, the impact cascaded. Jaguar Land Rover's shutdown affected suppliers. The British Library's disruption affected researchers and the public. The telecommunications hack exposed millions of users.
Modern organisations are interconnected. A breach in one place creates problems everywhere.
3. Recovery Takes Longer and Costs More Than Expected
In all three cases, recovery was slower and more expensive than anticipated. The British Library spent £6–7 million recovering from a £500,000 ransom demand. Jaguar Land Rover's shutdown lasted weeks.
Organisations consistently underestimate recovery time and cost. This is why operational resilience planning matters.
4. Basic Controls Would Have Prevented Most of These Attacks
These weren't sophisticated "zero-day" exploits. They exploited:
- Weak access controls
- Unpatched systems
- Poor supplier security
- Inadequate backup and recovery processes
The good news: these are fixable problems. The bad news: many organisations still haven't fixed them.
What Organisations Can Do
Based on these incidents, here's what matters:
1. Understand Your Critical Dependencies
Map what you depend on. Which suppliers have access to your systems? Which systems, if compromised, would stop your operations? What data, if leaked, would cause serious harm?
2. Test Your Recovery Capabilities
Don't assume backups work. Test them. Know how long recovery actually takes. Have a realistic view of your Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
3. Assess Third-Party Risk
Don't trust suppliers blindly. Ask for evidence of their cyber posture. Include cyber expectations in contracts. Understand what happens if a critical supplier is compromised.
4. Plan for Operational Disruption
Cyber attacks don't just steal data — they stop operations. Plan for how you'd continue operating if critical systems were unavailable. This is operational resilience, not just IT recovery.
5. Make Decisions Before You're Under Pressure
Decide your ransomware policy now. Decide how you'd respond to a breach. Decide who makes decisions during an incident. Making these decisions under pressure leads to poor outcomes.
The Bottom Line
These attacks show us that cyber risk is real, expensive, and disruptive. But they also show us that most attacks exploit basic weaknesses — weaknesses that can be identified and fixed.
The question isn't whether your organisation will be targeted. The question is whether you're prepared when it happens.
Understanding these incidents isn't about fear — it's about clarity. When you understand how attacks actually work and what they actually cost, you can make informed decisions about cyber risk management.
That's where a proper cyber risk assessment comes in. It helps you understand your exposure, prioritise improvements, and build resilience — before an incident happens.