bbc.com
Joe TidyCyber correspondent, BBC World Service
Prepare to switch to offline systems in the event of a cyber-attack, firms are being advised.
People should plan for potential cyber-attacks by going back to pen and paper, according to the latest advice.
The government has written to chief executives across the country strongly recommending that they should have physical copies of their plans at the ready as a precaution.
A recent spate of hacks has highlighted the chaos that can ensue when hackers take computer systems down.
The warning comes as the National Cyber-Security Centre (NCSC) reported an increase in nationally significant attacks this year.
Criminal hacks on Marks and Spencer, The Co-op and Jaguar Land Rover have led to empty shelves and production lines being halted this year as the companies struggled without their computer systems.
Organisations need to "have a plan for how they would continue to operate without their IT, (and rebuild that IT at pace), were an attack to get through," said Richard Horne, chief executive of the NCSC.
Firms are being urged to look beyond cyber-security controls toward a strategy known as "resilience engineering", which focuses on building systems that can anticipate, absorb, recover, and adapt, in the event of an attack.
Plans should be stored in paper form or offline, the agency suggests, and include information about how teams will communicate without work email and other analogue work arounds.
These types of cyber attack contingency plans are not new but it's notable that the UK's cyber authority is putting the advice prominently in its annual review.
Although the total number of hacks that the NCSC dealt with in the first nine months of this year was, at 429, roughly the same as for a similar period last year, there was an increase in hacks with a bigger impact.
The number of "nationally significant" incidents represented nearly half, or 204, of all incidents. Last year only 89 were in that category.
A nationally significant incident covers cyber-attacks in the three highest categories in the NCSC and UK law enforcement categorisation model:
Category 1: National cyber-emergency.
Category 2: Highly significant incident.
Category 3: Significant incident.
Category 4: Substantial incident.
Category 5: Moderate incident.
Category 6: Localised incident.
Amongst this year's incidents, 4% (18) were in the second highest category "highly significant".
This marks a 50% increase in such incidents, an increase for the third consecutive year.
The NCSC would not give details on which attacks, either public or undisclosed, fall into which category.
But, as a benchmark, it is understood that the wave of attacks on UK retailers in the spring, which affected Marks and Spencer, The Co-op and Harrods, would be classed as a Significant incident.
One of the most serious attacks last year, on a blood testing provider, caused major problems for London hospitals. It resulted in significant clinical disruption and directly contributed to at least one patient death.
The NCSC would not say which category this incident would fall into.
The vast majority of attacks are financially motivated with criminal gangs using ransomware or data extortion to blackmail a victim into sending Bitcoins in ransom.
Whilst most cyber-crime gangs are headquartered in Russian or former Soviet countries, there has been a resurgence in teenage hacking gangs thought to be based in English-speaking countries.
So far this year seven teenagers have been arrested in the UK as part of investigations into major cyber-attacks.
As well as the advice over heightened preparations and collaboration, the government is asking organisations to make better use of the free tools and services offered by the NCSC, for example free cyber-insurance for small businesses that have completed the popular Cyber-Essentials programme.
'Basic protection'
Paul Abbott, whose Northamptonshire transport firm KNP closed after hackers encrypted its operational systems and demanded money in 2023, says it's no longer a case of "if" such incidents will happen, but when.
"We were throwing £120,000 a year at [cyber-security] with insurance and systems and third-party managed systems," Mr Abbott told BBC Radio 5 Live on Tuesday.
He said he now focuses on security, education and contingency - key to which involves planning what is needed to keep a business running in the event of an attack or outage.
"The call for pen and paper might sound old-fashioned, but it's practical," said Graeme Stewart, head of public sector at cyber-security firm Check Point, noting digital systems can be rendered "useless" once targeted by hackers.
"You wouldn't walk onto a building site without a helmet - yet companies still go online without basic protection," he added.
"Cybersecurity needs to be treated with the same seriousness as health and safety: not optional, not an afterthought, but part of everyday working life."
bbc.com
Josh Martinbusiness reporter
The carmaker says some of its customers' data has been stolen in a cyber-attack that targeted a third-party provider.
Renault UK has confirmed that some of its customers' data has been stolen in a cyber-attack that targeted a third-party data processing provider.
No customer financial data, such as passwords or bank account details, had been obtained, Renault said, but other personal data had been accessed and the carmaker warned customers to be vigilant.
The French-owned carmaker would not specify how many people could be affected "for ongoing security reasons" but said it did not anticipate any wider implications for the company, as none of Renault's own systems had been hacked.
It comes after rival Jaguar Land Rover and brewing giant Asahi have had production stopped by cyber-attacks on their systems.
Renault UK said affected people would be notified and that victims of the hack may include a wider pool of people who had entered competitions or shared data with the car company, without purchasing a vehicle.
The carmaker said the data that had been accessed by the cyber-attack included some or all of: customer names, addresses, dates of birth, gender, phone number, vehicle identification numbers and vehicle registration details.
A Renault spokesperson said: "The third-party provider has confirmed this is an isolated incident which has been contained, and we are working with it to ensure that all appropriate actions are being taken. We have notified all relevant authorities.
"We are in the process of contacting all affected customers, advising them of the cyber-attack and reminding them to be cautious of any unsolicited requests for personal information," they added.
Jaguar Land Rover was recently forced to stop production and take a £1.5bn loan underwritten by the government after being targeted by hackers at the end of August.
Earlier this year, M&S and the Co-Op were both hit by cybersecurity breaches that disrupted supply chains and customer orders, and accessed the data of shoppers.
Reporter Joe Tidy was offered money if he would help cyber criminals access BBC systems.
Like many things in the shadowy world of cyber-crime, an insider threat is something very few people have experience of.
Even fewer people want to talk about it.
But I was given a unique and worrying experience of how hackers can leverage insiders when I myself was recently propositioned by a criminal gang.
"If you are interested, we can offer you 15% of any ransom payment if you give us access to your PC."
That was the message I received out of the blue from someone called Syndicate who pinged me in July on the encrypted chat app Signal.
I had no idea who this person was but instantly knew what it was about.
I was being offered a portion of a potentially large amount of money if I helped cyber criminals access BBC systems through my laptop.
They would steal data or install malicious software and hold my employer to ransom and I would secretly get a cut.
I had heard stories about this kind of thing.
In fact, only a few days before the unsolicited message, news emerged from Brazil that an IT worker there had been arrested for selling his login details to hackers which police say led to the loss of $100m (£74m) for the banking victim.
I decided to play along with Syndicate after taking advice from a senior BBC editor. I was eager to see how criminals make these shady deals with potentially treacherous employees at a time when cyber-attacks around the world are becoming more impactful and disruptive to everyday life.
I told Syn, who had changed their name mid-conversation, that I was potentially interested but needed to know how it works.
They explained that if I gave them my login details and security code then they would hack the BBC and then extort the corporation for a ransom in bitcoin. I would be in line for a portion of that payout.
They upped their offer.
"We aren't sure how much the BBC pays you but what if you took 25% of the final negotiation as we extract 1% of the BBC's total revenue? You wouldn't need to work ever again."
Syn estimated that their team could demand a ransom in the tens of millions if they successfully infiltrated the corporation.
The BBC has not publicly taken a position on whether or not it would pay hackers but advice from the National Crime Agency is not to pay.
Still, the hackers continued their pitch.
bbc.com/ Jacqueline Howard
The pair were allegedly recruited by pro-Russian hackers and used a "wi-fi sniffer" on the Europol headquarters.
Two 17-year-old boys have been arrested on suspicion of "state interference" in the Netherlands, prosecutors say, in a case with reported links to Russian spying.
The pair were allegedly contacted by pro-Russian hackers on the messaging app Telegram, Dutch media reported.
One of the boys allegedly walked past the offices of Europol, Eurojust and the Canadian embassy in The Hague carrying a "wi-fi sniffer" - a device designed to identify and intercept wi-fi networks.
The teenagers appeared before a judge on Thursday, who ordered one boy be remanded in custody and the other placed on strict home bail conditions until a hearing, which is due to take place in the next two weeks.
The National Office of the Netherlands Public Prosecution Service confirmed court appearance, but told the BBC it could not provide details on the case due to the suspects' age and in "the interest of the investigation", which is ongoing.
One of the boy's father told Dutch newspaper De Telegraaf that police had arrested his son on Monday afternoon while he was doing his homework.
He said police told him that the arrest related to espionage and rendering services to a foreign country, the paper reports.
The teenager was described as being computer savvy and having a fascination for hacking, while holding a part-time job at a supermarket.
The Netherlands' domestic intelligence and security agency declined to comment on the case when approached by the BBC.
bbc.com
Imran Rahman-JonesTechnology reporter andJoe TidyCyber correspondent, BBC World Service
The National Crime Agency (NCA) said a man in his forties was arrested in West Sussex.
A person has been arrested in connection with a cyber-attack which has caused days of disruption at several European airports including Heathrow.
The National Crime Agency (NCA) said a man in his forties was arrested in West Sussex "as part of an investigation into a cyber incident impacting Collins Aerospace".
There have been hundreds of flight delays after Collins Aerospace baggage and check-in software used by several airlines failed, with some boarding passengers using pen and paper.
"Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing," said Paul Foster, head of the NCA's national cyber crime unit.
The man was arrested on Tuesday evening on suspicion of Computer Misuse Act offences and has been released on bail.
The BBC has seen an internal memo sent to airport staff at Heathrow about the difficulties software provider Collins Aerospace is having bringing their check-in software back online.
The US company appears to be rebuilding the system again after trying to relaunch it on Monday.
Collins Aerospace's parent company RTX Corporation told the BBC it appreciated the NCA's "ongoing assistance in this matter".
The US firm has not put a timeline on when it will be ready and is urging ground handlers and airlines to plan for at least another week of using manual workarounds.
At Heathrow, extra staff have been deployed in terminals to help passengers and check-in operators but flights are still experiencing delays.
On Monday, the EU's cyber-security agency said ransomware had been deployed in the attack.
Ransomware is often used to seriously disrupt victims' systems and a ransom is demanded in cryptocurrency to reverse the damage.
These types of attacks are an issue for organisations around the country, with organised cyber-crime gangs earning hundreds of millions of pounds from ransoms every year.
Days of disruption
The attack against US software maker Collins Aerospace was discovered on Friday night and resulted in disruption across many European airports, including in Brussels, Dublin and Berlin.
Flights were cancelled and delayed throughout the weekend, with some airports still experiencing effects of the delays into this week.
"The vast majority of flights at Heathrow are operating as normal, but we encourage passengers to check the status of their flight before travelling to the airport," Heathrow Airport said in a statement on its website.
Berlin Airport said on Wednesday morning "check-in and boarding are still largely manual", which would result in "longer processing times, delays, and cancellations by airlines".
While Brussels Airport advised passengers to check in online before arriving at the airport.
Cyber-attacks in the aviation sector have increased by 600% over the past year, according to a report by French aerospace company Thales.
bbc.com Joe TidyCyber correspondent and
Tabby Wilson
The EU's cyber security agency says criminals are using ransomware to cause chaos in airports around the world.
Several of Europe's busiest airports have spent the past few days trying to restore normal operations, after a cyber-attack on Friday disrupted their automatic check-in and boarding software.
The European Union Agency for Cybersecurity, ENISA, told the BBC on Monday that the malicious software was used to scramble automatic check-in systems.
"The type of ransomware has been identified. Law enforcement is involved to investigate," the agency said in a statement to news agency Reuters.
It's not known who is behind the attack, but criminal gangs often use ransomware to seriously disrupt their victims' systems and demand a ransom in bitcoin to reverse the damage.
The BBC has seen internal crisis communications from staff inside Heathrow Airport which urges airlines to continue to use manual workarounds to board and check in passengers as the recovery is ongoing.
Heathrow said on Sunday it was still working to resolve the issue, and apologised to customers who had faced delayed travel.
It stressed "the vast majority of flights have continued to operate" and urged passengers to check their flight status before travelling to the airport.
The BBC understands about half of the airlines flying from Heathrow were back online in some form by Sunday - including British Airways, which has been using a back-up system since Saturday.
Continued disruption
The attack against US software maker Collins Aerospace was discovered on Friday night and resulted in disruption across several airports on Saturday.
While this had eased significantly in Berlin and London Heathrow by Sunday, delays and flight cancellations remained.
Brussels Airport, also affected, said the "service provider is actively working on the issue" but it was still "unclear" when the issue would be resolved.
They have asked airlines to cancel nearly 140 of their 276 scheduled outbound flights for Monday, according to the AP news agency.
Meanwhile, a Berlin Airport spokesperson told the BBC some airlines were still boarding passengers manually and it had no indication on how long the electronic outage would last.
bbc.com 12.09 Theo LeggettBusiness correspondent
The past two weeks have been dreadful for Jaguar Land Rover (JLR), and the crisis at the car maker shows no sign of coming to an end.
A cyber attack, which first came to light on 1 September, forced the manufacturer to shut down its computer systems and close production lines worldwide.
Its factories in Solihull, Halewood, and Wolverhampton are expected to remain idle until at least Wednesday, as the company continues to assess the damage.
JLR is thought to have lost at least £50m so far as a result of the stoppage. But experts say the most serious damage is being done to its network of suppliers, many of whom are small and medium sized businesses.
The government is now facing calls for a furlough scheme to be set up, to prevent widespread job losses.
David Bailey, professor of business economics at Birmingham Business School, told the BBC: "There's anywhere up to a quarter of a million people in the supply chain for Jaguar Land Rover.
"So if there's a knock-on effect from this closure, we could see companies going under and jobs being lost".
Under normal circumstances, JLR would expect to build more than 1,000 vehicles a day, many of them at its UK plants in Solihull and Halewood. Engines are assembled at its Wolverhampton site. The company also has large car factories in China and Slovakia, as well as a smaller facility in India.
JLR said it closed down its IT networks deliberately in order to protect them from damage. However, because its production and parts supply systems are heavily automated, this meant cars simply could not be built.
Sales were also heavily disrupted, though workarounds have since been put in place to allow dealerships to operate.
Initially, the carmaker seemed relatively confident the issue could be resolved quickly.
Nearly two weeks on, it has become abundantly clear that restarting its computer systems has been a far from simple process. It has already admitted that some data may have been seen or stolen, and it has been working with the National Cyber Security Centre to investigate the incident.
Experts say the cost to JLR itself is likely to be between £5m and £10m per day, meaning it has already lost between £50m and £100m. However, the company made a pre-tax profit of £2.5bn in the year to the end of March, which implies it has the financial muscle to weather a crisis that lasts weeks rather than months.
'Some suppliers will go bust'
JLR sits at the top of a pyramid of suppliers, many of whom are highly dependent on the carmaker because it is their main customer.
They include a large number of small and medium-sized firms, which do not have the resources to cope with an extended interruption to their business.
"Some of them will go bust. I would not be at all surprised to see bankruptcies," says Andy Palmer, a one-time senior executive at Nissan and former boss of Aston Martin.
He believes suppliers will have begun cutting their headcount dramatically in order to keep costs down.
Mr Palmer says: "You hold back in the first week or so of a shutdown. You bear those losses.
"But then, you go into the second week, more information becomes available – then you cut hard. So layoffs are either already happening, or are being planned."
A boss at one smaller JLR supplier, who preferred not to be named, confirmed his firm had already laid off 40 people, nearly half of its workforce.
Meanwhile, other companies are continuing to tell their employees to remain at home with the hours they are not working to be "banked", to be offset against holidays or overtime at a later date.
There seems little expectation of a swift return to work.
One employee at a major supplier based in the West Midlands told the BBC they were not expecting to be back on the shop floor until 29 September. Hundreds of staff, they say, had been told to remain at home.
When automotive firms cut back, temporary workers brought in to cover busy periods are usually the first to go.
There is generally a reluctance to get rid of permanent staff, as they often have skills that are difficult to replace. But if cashflow dries up, they may have little choice.
Labour MP Liam Byrne, who chairs the Commons Business and Trade Committee, says this means government help is needed.
"What began in some online systems is now rippling through the supply chain, threatening a cashflow crunch that could turn a short-term shock into long-term harm", he says.
"We cannot afford to see a cornerstone of our advanced manufacturing base weakened by events beyond its control".
The trade union Unite has called for a furlough system to be set up to help automotive suppliers. This would involve the government subsidising workers' pay packets while they are unable to do their jobs, taking the burden off their employers.
"Thousands of these workers in JLR's supply chain now find their jobs are under an immediate threat because of the cyber attack," says Unite general secretary, Sharon Graham.
"Ministers need to act fast and introduce a furlough scheme to ensure that vital jobs and skills are not lost while JLR and its supply chain get back on track."
Business and Trade Minister Chris Bryant said: "We recognise the significant impact this incident has had on JLR and their suppliers, and I know this is a worrying time for those affected.
"I met with the chief executive of JLR yesterday to discuss the impact of the incident. We are also in daily contact with the company and our cyber experts about resolving this issue."
bbc.com Chris VallanceSenior Technology Reporter andTheo Leggett International Business Correspondent 3.09.2025
Staff were sent home and the company shut down its IT systems in an effort to minimise the damage done.
A cyber-attack has "severely disrupted" Jaguar Land Rover (JLR) vehicle production, including at its two main UK plants.
The company, which is owned by India's Tata Motors, said it took immediate action to lessen the impact of the hack and is working quickly to restart operations.
JLR's retail business has also been badly hit at a traditionally a popular time for consumers to take delivery of a new vehicle - but there is no evidence any customer data had been stolen, it said.
The attack began on Sunday as the latest batch of new registration plates became available on Monday, 1 September.
The BBC understands that the attack was detected while in progress, and the company shut down its IT systems in an effort to minimise any damage.
Workers at the company's Halewood plant in Merseyside were told by email early on Monday morning not to come into work while others were sent home, as first reported by the Liverpool Echo.
The BBC understands the attack has also hit JLR's other main UK manufacturing plant at Solihull, with staff there also sent home.
The company said: "We took immediate action to mitigate its impact by proactively shutting down our systems. We are now working at pace to restart our global applications in a controlled manner."
It added: "At this stage there is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted."
It is not yet known who is responsible for the hack, but it follows crippling attacks on prominent UK retail businesses including Marks & Spencer and the Co-op.
In both cases, the hackers sought to extort money.
While JLR's statement makes no mention of a cyber-attack, a separate filing by parent company Tata Motors to the Bombay Stock Exchange referred to an "IT security incidence" causing "global" issues.
The National Crime Agency said: "We are aware of an incident impacting Jaguar Land Rover and are working with partners to better understand its impact."
In 2023, as part of an effort to "accelerate digital transformation across its business", JLR signed a five-year, £800m deal with corporate stablemate Tata Consultancy Services to provide cybersecurity and a range of other IT services.
The halt in production is a fresh blow to the firm which recently revealed a slump in profits attributed to increasing in costs caused by US tariffs.
BBC - Transport company KNP forced to shut down after international hacker gangs target thousands of UK businesses.
One password is believed to have been all it took for a ransomware gang to destroy a 158-year-old company and put 700 people out of work.
KNP - a Northamptonshire transport company - is just one of tens of thousands of UK businesses that have been hit by such attacks.
Big names such as M&S, Co-op and Harrods have all been attacked in recent months. The chief executive of Co-op confirmed last week that all 6.5 million of its members had had their data stolen.
In KNP's case, it's thought the hackers managed to gain entry to the computer system by guessing an employee's password, after which they encrypted the company's data and locked its internal systems.
KNP director Paul Abbott says he hasn't told the employee that their compromised password most likely led to the destruction of the company.
"Would you want to know if it was you?" he asks.
"We need organisations to take steps to secure their systems, to secure their businesses," says Richard Horne CEO of the National Cyber Security Centre (NCSC) - where Panorama has been given exclusive access to the team battling international ransomware gangs.
One small mistake
In 2023, KNP was running 500 lorries – most under the brand name Knights of Old.
The company said its IT complied with industry standards and it had taken out insurance against cyber-attack.
But a gang of hackers, known as Akira, got into the system leaving staff unable to access any of the data needed to run the business. The only way to get the data back, said the hackers, was to pay
