When Jaguar Land Rover (JLR) was hit by a major cyber-attack in September 2025, one of the first things the company’s cybersecurity leader did was to call over 30,000 staff on site to reset their passwords.
Speaking during Infosecurity Europe on June 3, Ashish Shrestha CEO of Zyn Global, and group CISO of JLR at the time of the cyber incident, said that the decision was made because it was vital to ensure that the identities of the staff could be trusted post-breach and while the company responded to the incident.
“My first priority was that we needed to validate whether our Microsoft 365 had been compromised or not, because we need that to communicate,” he explained in a conference session titled ‘Crisis Communications – Contingency Plans to Put in Place Now.’
The former JLR cyber leader noted that if the firm had observed signs of the Microsoft 365 environment being compromised via a user account, they would not be able to use that as a communications channel.
Therefore, to verify that all users were who they said they were and that that everyone could be trusted in online communications, JLR required every member of staff to reset their password – and do it in person.
“One of the first and foremost things was we did an enterprise-wide password reset for 30,000 people. And we asked every individual to come on site to do it,” Shrestha said.
Trust and Verification Post Cyber-Attack
The justification for this, he explained, was that while there wasn’t any sign of an overall compromise of usernames and passwords, he wanted to be sure that every single user could be trusted before moving forward.
The way to be sure of that was by requiring staff to make the change in person.
If done remotely, there was the potential risk that an attacker could change the password of a compromised account, should they have control of it.
“Now, although identity and access management wasn’t compromised, I triggered an enterprise-wide password reset and reset everything, including multi-factor authentication (MFA), validating the identity of the human and associating their body with the ID,” Shrestha explained.
JLR was severely impacted by the cyber-attack, as production and sales operations were halted for weeks. In the following months sales for the automative manufacturer to crash.
The impact of the cyber-attack against JLR was so immense that it became the costliest cyber-attack to hit the UK. Overall, it is estimated that the JLR cyber-attack cost the national economy £1.9bn ($2.55bn) and affected over 5000 organizations in the supply chain.
A group linked to Scattered Spider claimed responsibility for the attack. The cybercriminal collective was responsible for several high-profile cyber-attacks during 2025, including ransomware attacks against retailers Marks & Spencer and The Co-op.
