Home
Between September 9-15, 2025, three major cybersecurity incidents exemplified persistent and evolving threats against manufacturing, government, and financial services. The Jaguar Land Rover global production shutdown exposed the devastating operational and economic risk from ransomware and supply chain exploitation. INC Ransom’s attack on Panama’s Ministry of Economy and Finance illustrated advanced double extortion tactics impacting critical infrastructure and national security. Meanwhile, the FinWise Bank insider breach served as a case study in the operational and reputational dangers of inadequate identity and access management.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Jaguar Land Rover (JLR) Cyberattack 2025
Overview
Tata Motors-owned Jaguar Land Rover faced a significant cyberattack resulting in halted production across all global facilities, affecting 39,000 employees and causing estimated losses of £50-72 million per week. This shutdown extended through at least September 24, 2025, severely disrupting manufacturing and supply chain operations.
Technical Explanation
The attack is attributed to the Scattered Lapsus$ Hunters group, who exploited a known SAP NetWeaver vulnerability to infiltrate JLR’s internal networks. Attackers used lateral movement to target manufacturing and operational technology systems as well as corporate IT, encrypting data and exfiltrating sensitive internal files. The ransomware campaign included custom variants tailored to industrial environments, leveraging legitimate admin tools for persistence and lateral spread.
Key stages:
- Initial access via SAP NetWeaver exploit
- Lateral spread using legitimate remote management and admin tools
- Ransomware and data theft across production and business operations systems
- Simultaneous attack coordination in factories across multiple countries
Impact/Risk
- Cessation of global vehicle production
- Financial losses of up to £1.7 billion in lost product value
- Delays in new vehicle deliveries
- Workforce impacts, including 2,000 temporary layoffs among suppliers
- National-level economic impact due to JLR’s size and export volume
- Prolonged recovery times and reputational harm
Takeaway for CISOs
Manufacturers must treat enterprise resource planning (ERP) and production system hardening as critical. Cross-discipline OT/IT incident response, tested continuity plans, and full SAP system monitoring must be prioritized. Ransomware defense and detection should include segmentation and forensics tailored to industrial controls and large-scale automation.
INC Ransom Attack on Panama Ministry of Economy and Finance
Overview
On September 5, 2025, the INC Ransom group compromised Panama’s Ministry of Economy and Finance, resulting in theft of 1.5 TB of data including highly sensitive government documents and financial records. The attack prompted extortion threats and potential data publication, though core government operations remained online thanks to timely containment efforts.
Technical Explanation
Attackers initiated entry via spear phishing, gaining initial access through social engineering targeting ministry employees. They used PowerShell scripts and living-off-the-land techniques for persistence and data staging, employing tools like NETSCAN.EXE for network reconnaissance. Systematic data collection was compressed and exfiltrated using encrypted cloud channels, such as MEGASync, while communication with command-and-control leveraged DNS over HTTPS for stealth. The incident was notable for prioritizing data theft and extortion over system encryption, a hallmark of recent INC Ransom operations.
Key stages:
- Phishing for initial credential access
- Scripted tools for privilege escalation and persistence
- Network enumeration and domain credential harvesting
- Encrypted multi-phase data exfiltration, evading traditional controls
- Psychological pressure tactics (printer network abuse, data leak threats)
Impact/Risk
- Breach of critical fiscal policy and Panama Canal revenue data
- Regulatory and sovereignty risks
- Public trust erosion
- Ongoing extortion due to data exposure threats
- Operational continuity maintained through segmentation
Takeaway for CISOs
Government agencies must implement zero-trust principles and DLP technologies to prevent high-value data exfiltration, even from single compromised endpoints. Segregated backups, immutable storage, and incident playbooks for data-centric extortion scenarios are now essential.
FinWise Insider Breach
Overview
Between May 2024 and June 2025, a former FinWise Bank employee maintained unauthorized access to confidential data tied to 689,000 American First Finance customers. Discovery in June 2025 led to breach notification and credit monitoring for all affected customers.
Technical Explanation
The insider maintained access through insufficient offboarding and lack of automated periodic access review. Privileged credentials left active after termination enabled months of data theft. Monitoring and UBA capabilities did not alert on atypical access patterns until customers noticed suspicious activity, resulting in delayed response and expanded breach size.
Key failures:
- Manual deprovisioning failure
- Lack of automated entitlement review and access certifications
- Absence of UBA or activity logging for sensitive data pulls
- Delayed detection, allowing monthly incremental data exfiltration
Impact/Risk
- Exposure of sensitive customer data (names, SSNs, financial records)
- Regulatory scrutiny, class actions, and financial liability
- Loss of institutional trust, especially for fintech and banking partners
- Mandatory credit monitoring and reporting costs
Takeaway for CISOs
Insider risk programs must focus on identity lifecycle management, automate real-time privilege reviews, and enforce activity monitoring for sensitive data, especially after employee offboarding. DLP controls and behavioral alerts should be prioritized in regulated industries.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
