612,000 UK Businesses Identified a Breach or Attack — and We’re Still Not Doing the Basics

The government’s own Cyber Security Breaches Survey for 2025/2026 was published on 30 April 2026 and, if you work in this industry, the numbers should make you uncomfortable. Not because they’re surprising, they’re not, but because they confirm what a lot of us have been saying for years and the direction of travel is the wrong one.

43% of UK businesses identified a cyber breach or attack in the past twelve months. Extrapolate that across the business population and you get roughly 612,000 organisations, and those are only the incidents that organisations identified and were willing to report to the survey. Reports of revenue or share-value loss rose from 2% to 5% year-on-year. Reputational damage reports went from 1% to 3%. Those are small base figures, and the overall breach prevalence is broadly flat, but the direction on impact and small-business fundamentals is not encouraging. Phishing remains the dominant vector, experienced by 38% of businesses.

What I find most difficult to explain away is that small businesses have gone backwards on several basic hygiene measures. Risk assessments fell from 48% to 41%. Formal cyber policies dropped from 59% to 52%. Continuity plans covering cyber fell from 53% to 44%. These are not advanced capabilities. These are fundamentals, and we are losing ground on them.

The supply chain blind spot

If the headline numbers are uncomfortable, the supply chain figures are inexcusable. Only 15% of businesses report reviewing the cyber risks posed by their immediate suppliers. The wider supply chain figure is worse still: just 6%. Break it down by size and the picture is predictably grim: 12% of micro businesses, 22% of small, 30% of medium, and 48% of large businesses are conducting immediate supplier risk reviews. Even among the largest organisations, fewer than half are doing it.

Fifteen percent. In 2026. After everything that happened last year.

Let me remind you what “everything that happened last year” actually looked like in practice, because I think the lessons of the Jaguar Land Rover incidents deserve more than a passing reference in someone else’s trend report.

What we know about JLR

JLR appears to have suffered at least two publicly reported cyber incidents in 2025, and it’s important to be precise about what is confirmed and what is reported but unconfirmed.

In March 2025, HELLCAT-linked actors reportedly accessed JLR data using stolen third-party Atlassian Jira credentials. SecurityWeek reported that the credentials were allegedly harvested from an LG Electronics employee via infostealer malware, with one threat actor claiming they dated back to 2021. Hudson Rock’s analysis suggested the credentials had never been rotated or invalidated in the intervening four years. JLR did not publicly confirm those claims at the time. A second threat actor subsequently claimed to have exploited similar vintage credentials.

Separately, at the end of August 2025, JLR suffered a major cyber incident that forced a shutdown of systems and severely disrupted production and retail operations. JLR’s own statement on 2 September confirmed they had been “impacted by a cyber incident” and had “proactively shut down systems”. Production remained halted until early October, with a phased restart beginning around 8 October. The Cyber Monitoring Centre assessed the overall economic impact at between £1.6 billion and £2.1 billion, with £1.9 billion as the most likely figure, and classified it as a Category 3 systemic event. The former head of the NCSC described it as the single most financially damaging cyber event ever to hit the UK.

The precise intrusion route for the September shutdown has not been publicly confirmed by JLR, and some reporting has noted the March data incident and the September production shutdown may be unrelated. I am not going to conflate the two. The March reporting illustrates the supplier-credential problem: commodity credential theft, stale third-party access, and credentials that allegedly remained valid for years. The September shutdown illustrates the operational consequences when cyber incidents hit at manufacturing scale. Whether or not the two events were technically connected, together they point to exactly the class of failure that the Breaches Survey data tells us almost nobody is checking for.

Basics, not sophistication

I want to be careful about how I frame this because hindsight is cheap and no organisation is immune. But take the March credential incident at face value: if the reported Jira-credential route is accurate, consistent MFA and tighter third-party access controls would likely have made that route materially harder to exploit. Credentials allegedly harvested by commodity malware, sitting in a credential dump for years, reportedly gave a threat actor access to one of Britain’s largest manufacturers. Not through a novel zero-day. Not through sophisticated state-grade tradecraft. Through stale supplier Jira credentials.

And here’s where the survey data connects. Only 15% of UK businesses are reviewing supplier cyber risk. That means 85% of businesses are, in effect, trusting that their suppliers are revoking compromised credentials, enforcing MFA, patching known vulnerabilities and maintaining basic hygiene, without ever checking. After what happened at JLR, that position is difficult to defend.

The “dogs of war” are going for low-hanging fruit

I wrote recently for the Guernsey Cyber Alliance about the threat picture following the April ceasefire and the flurry of Iranian-affiliated cyber activity that accompanied it. The headline from that piece was that while the threats are real, they are less coordinated and less sophisticated than the trade press would have you believe. Cyber Av3ngers’ internet-facing PLC playbook dates back to the earlier Unitronics campaigns. The April 2026 AA26-097A advisory documented a newer Rockwell Automation/Allen-Bradley wave identified since at least March 2026. It worked because the targets were negligently exposed, not because the attackers were extraordinary.

The pattern is consistent. Whether it’s a state-affiliated group going after water treatment PLCs or a ransomware crew reportedly going after a car manufacturer’s Jira instance, the common denominator is not the sophistication of the attacker. It’s the state of the defender’s basics. We keep investing in elaborate perimeters while leaving fundamental access controls unmanaged.

The unstructured “cyber dogs of war”, the hacktivist crews and opportunistic criminal groups that dominate the current threat landscape, are not selecting their targets with surgical precision. They are scanning for the easiest way in and, far too often, finding it. Stale credentials. Missing MFA. Internet-facing systems that shouldn’t be internet-facing. Default passwords on industrial control equipment. The same catalogue of basics we have been talking about for a decade.

What needs to change

I’ll keep this practical because the advice itself isn’t complicated. The problem has never been knowing what to do. The problem is actually doing it, consistently, across your entire supplier ecosystem, not just within your own four walls.

Credential hygiene needs to be treated as a fundamental, not an annual audit checkbox. That doesn’t mean enforcing regular password rotation for its own sake, the NCSC has been clear that forced periodic password changes can make security worse, not better. It means revoking stale and dormant accounts, monitoring credential dumps for exposed passwords and acting on them immediately, blocking known-compromised passwords, removing supplier access that is no longer needed, and deploying phishing-resistant MFA or passwordless authentication wherever possible.

MFA on everything that takes it. Not “on our critical systems” or “for senior staff” or “where the vendor supports it without too much hassle”. On everything.

Review your supplier risk, properly and regularly. That means asking your suppliers what controls they have in place, verifying the answers, and building contractual expectations around credential management, patching cadence and incident notification. If 85% of businesses aren’t doing this, every single one of them is carrying risk they haven’t measured.

And, critically, stop treating supply chain security as someone else’s problem. At least one publicly reported JLR data incident appears to have involved supplier credentials. Whether that was also the root cause of the later production shutdown has not been publicly confirmed. But the principle holds regardless of JLR’s specific circumstances: if you outsource a business function, you have not outsourced the risk. You have extended it.

The uncomfortable conclusion

The Breaches Survey tells us that 612,000 businesses identified a breach or attack last year and that basic hygiene is deteriorating in the places that can least afford it. JLR, whatever the precise chain of events, shows us what happens when supply chain fundamentals fail at scale. The threat actors exploiting these gaps are, in many cases, not particularly skilled. They don’t need to be. We are making it easy for them.

I said in my recent Guernsey Cyber Alliance piece that we could all do with being a harder target at the moment. The dogs of war are barking. The survey data confirms that too many of us are leaving the door wide open.

The Cyber Security and Resilience Bill is making its way through parliament and will bring new obligations around incident reporting and resilience standards for regulated sectors, essential services, digital infrastructure and managed service providers. That’s welcome, but it won’t cover every ordinary SME and regulation follows damage. It doesn’t prevent it. The basics, credential hygiene, MFA, supplier risk review, patching, continuity planning, are available now. They are not always free, but they are considerably cheaper than finding out what they cost during a shutdown.

We need to stop building the roof and start fixing the foundations.

PeterHoinville.com