bbc.com
Sam Francis
Political reporter
19.12.2025

The trade minister says information was accessed and an investigation has been launched.

Government data has been stolen in a hack though officials believe the risk to individuals is "low", a minister has said.

Trade Minister Chris Bryant told BBC Breakfast "an investigation is ongoing" into the hack, adding that the security gap was "closed pretty quickly".

A Chinese affiliated group is suspected of being behind the attack, but Bryant said investigators "simply don't know as yet" who is responsible.

That data is understood to have been on systems operated on the Home Office's behalf by the Foreign Office, whose staff detected the incident.

"We think that it's a fairly low-risk that individuals will have been compromised or affected," Bryant said.

It comes after the Sun newspaper reported that hackers affiliated to the Chinese state accessed the data in October with information possibly including visa details targeted.

The incident has been referred to the Information Commissioners Office.

UK intelligence agencies have warned about increasing, large-scale espionage from China, using cyber and other means, and targeting commercial and political information.

The cyber-agency GCHQ said last year that it was devoting more resources to counter threats from China than any other nation.

"Government facilities are always going to be potentially targeted," Bryant said on Friday.

"We are working through the consequences of what this is."

"This is a part of modern life that we have to tackle and deal with," Bryant added, pointing to major hacks in recent years at Jaguar Land Rover, Marks & Spencer and the British Library.

Confirmation of a hack by a Chinese state group would be awkward for the government ahead of a planned visit to Beijing next year by Sir Keir Starmer, the first by a UK prime minister since 2018.

The Labour government has said it is important to engage with China as it cannot be ignored on trade, climate change and other major issues, but face-to-face meetings also provide a forum for robust exchanges about issues affecting UK security.

The Chinese government has consistently denied it backs cyber-attacks targeting the UK.

Last year, responding to the UK government's National Security Strategy, a spokesperson for the Chinese embassy in London said "accusations such as Chinese espionage, cyber-attacks, and transnational repression against the UK are entirely fabricated, malicious slander".

Earlier this month, Sir Keir said UK government policy towards China could not continue to blow "hot and cold".

Failing to navigate a relationship with China, he said, would be a "dereliction of duty" when China is a "defining force in technology, trade and global governance".

Building a careful relationship would instead bolster the UK's place as a leader on the international stage and help secure UK national interests, Sir Keir said, while still recognising the "reality" that China "poses national security threats".

bbc.com
Joe Tidy
Cyber correspondent, BBC World Service

One of the world's most prominent cyber-criminals speaks to the BBC in an exclusive interview.

After years of reading about "Tank" and months of planning a visit to him in a Colorado prison, I hear the door click open before I see him walk into the room.

I stand up ready to give this former cyber-crime kingpin a professional hello. But, like a cheeky cartoon character, he pokes his head around a pillar with a giant grin on his face and winks.

Tank, whose real name is Vyacheslav Penchukov, climbed to the top of the cyber-underworld not so much with technical wizardry, but with criminal charm.

"I am a friendly guy, I make friends easily," the 39-year-old Ukrainian says, with a broad smile.

Having friends in high places is said to be one of the reasons Penchukov managed to evade police for so long. He spent nearly 10 years on the FBI's Most Wanted list and was a leader of two separate gangs in two distinct periods of cyber-crime history.

It is rare to speak to such a high-level cyber-criminal who has left so many victims behind him; Penchukov spoke to us for six hours over two days as part of the ongoing podcast series Cyber Hack: Evil Corp.

The exclusive interview - Penchukov's first ever - reveals the inner workings of these prolific cyber-gangs, the mindset of some of the individuals behind them and never-before-known details about hackers still at large - including the alleged leader of the sanctioned Russian group, Evil Corp.

It took more than 15 years for authorities to finally arrest Penchukov in a dramatic operation in Switzerland in 2022.

"There were snipers on the roof and the police put me on the ground and handcuffed me and put a bag on my head on the street in front of my kids. They were scared," he recalls with annoyance.

He is still bitter about how he was arrested, arguing that it was over the top. His thousands of victims around the world would strongly disagree with him: Penchukov and the gangs he either led or was a part of stole tens of millions of pounds from them.

In the late 2000s, he and the infamous Jabber Zeus crew used revolutionary cyber-crime tech to steal directly from the bank accounts of small businesses, local authorities and even charities. Victims saw their savings wiped out and balance sheets upended. In the UK alone, there were more than 600 victims, who lost more than £4m ($5.2m) in just three months.

Between 2018 and 2022, Penchukov set his sights higher, joining the thriving ransomware ecosystem with gangs that targeted international corporations and even a hospital.

Englewood Correctional Facility, where Penchukov is being held, would not let us take any recording equipment inside the prison, so a producer and I make notes during the interview as we are watched over by a guard nearby.

The first thing that stands out about Penchukov is that, although he is eager to be released, he seems in high spirits and is clearly making the most of his time in prison. He tells me he plays a lot of sport, is learning French and English - a well-thumbed Russian-English dictionary stays by his side throughout our interview - and is racking up high-school diplomas. He must be smart, I suggest. "Not smart enough - I'm in prison," he jokes.

Englewood is a low-security prison with good facilities. The low-rise but sprawling building sits in the foothills of the Rocky Mountains in Colorado. The dusty grass verges surrounding the prison are teeming with noisy prairie dogs scurrying into their burrows whenever disturbed by prison vehicles coming and going.

It is a long way from Donetsk, Ukraine, where he ran his first cyber-crime gang after falling into hacking through games cheat forums, where he would look for cheats for his favourite video games like Fifa 99 and Counterstrike.

He became the leader of the prolific Jabber Zeus crew - so named because of their use of the revolutionary Zeus malware and their favourite communication platform, Jabber.

Penchukov worked with a small group of hackers that included Maksim Yakubets - a Russian who would go on to be sanctioned by the US government, accused of leading the infamous cyber-group Evil Corp.

Penchukov says that throughout the late 2000s, the Jabber Zeus crew would work out of an office in the centre of Donetsk, putting in six to seven-hour days stealing money from victims overseas. Penchukov would often end his day with a DJ set in the city, playing under the name DJ Slava Rich.

Cyber-crime in those days was "easy money", he says. The banks had no idea how to stop it and police in the US, Ukraine and the UK could not keep up.

In his early 20s, he was making so much money he bought himself "new cars like they were new clothes". He had six in total - "all expensive German ones".

But police got a breakthrough when they managed to eavesdrop on the criminals' text chats in Jabber and discovered the true identity of Tank using details he had given away about the birth of his daughter.

The net closed in on the Jabber Zeus crew, and an FBI-led operation called Trident Breach saw arrests in Ukraine and the UK. But Penchukov slipped through the net thanks to a tip-off from someone he will not name. And thanks to one of his fast cars.

"I had an Audi S8 with a 500-horsepower Lamborghini engine so when I saw the cops flashing lights in my rear view mirror, I jumped the red light and lost them easily. It gave me a chance to test the full power of my car," he says.

He laid low with a friend for a while, but when the FBI left Ukraine, the local authorities seemed to lose interest in him.

So Penchukov kept under the radar and, he says, went straight. He started a company buying and selling coal, but the FBI was still on the trail.

"I was on holiday in Crimea when I got a message from a friend who saw that I had been put on the FBI Most Wanted list. I thought I had got away with it all - then I realised I have a new problem," he says, an obvious understatement.

His lawyer at the time was calm, though, and advised him not to worry: as long as he did not travel outside of Ukraine or Russia, US police could not do much.

The Ukrainian authorities did eventually come knocking - but not to arrest him.

Penchukov had been outed as a wealthy hacker wanted by the West and he alleges that almost every day, officials would come and shake him down for money.

His coal-selling business was going well until Russia's invasion of Crimea in 2014. President Putin's so-called "Little Green Men" - Russian soldiers in unmarked uniforms - ruined his business and missiles struck his apartment in Donetsk, damaging his daughter's bedroom.

Penchukov says that it was business troubles and the constant payouts to Ukrainian officials that led him to once again fire up his laptop and get back into the cyber-crime life.

"I just decided it was the fastest way to make money to pay them," he says.

His journey charts the evolution of modern cyber-crime - from quick and easy bank account theft to ransomware, today's most pernicious and damaging type of cyber-attack used in high-profile hacks this year, including on UK High Street stalwart Marks & Spencer.

He says ransomware was harder work but the money was good. "Cyber-security had improved a lot, but we were able to make about $200,000 a month. Much higher profits."

In a revealing anecdote, he remembers rumours that started about a crew being paid $20m (£15.3m) from a hospital that had been crippled by ransomware.

Penchukov says the news fired up the hundreds of hackers in the criminal forums who all then went after US medical institutions to repeat the pay day. These hacker communities have a "herd mentality", he says: "People don't care about the medical side of things - all they see is 20 millions being paid."

Penchukov rebuilt his connections and skills to become one of the top affiliates of ransomware services, including Maze, Egregor and the prolific group Conti.

When asked if these criminal groups worked with Russian security services - a regular accusation from the West - Penchukov shrugs and says: "Of course." He says that some ransomware gang members sometimes talked about speaking to "their handlers" in the Russian security services, like the FSB.

The BBC wrote to the Russian Embassy in London, asking if the Russian government or its intelligence agencies engaged with cyber criminals to aid cyber espionage, but received no reply.

Penchukov soon rose to the top again and became a leader of IcedID - a gang that infected more than 150,000 computers with malicious software and led to various types of cyber-attack, including ransomware. Penchukov was in charge of a team of hackers who would sift through the infected computers to work out how best to make money from them.

One victim they infected with ransomware in 2020 was the University of Vermont Medical Center in the US. According to US prosecutors, this led to the loss of more than $30m (£23m) and left the medical centre unable to provide many critical patient services for more than two weeks.

Although no-one died, prosecutors say the attack, which disabled 5,000 hospital computers, created a risk of death or serious injury to patients. Penchukov denies he actually did it, claiming he only admitted to it in order to reduce his sentence.

Overall, Penchukov, who has since changed his surname to Andreev, feels the two nine-year sentences he is serving concurrently are too much for what he did (he is hoping to get out much sooner). He has also been ordered to pay $54m (£41.4m) in restitution to victims.

His view as a young hacker who started in cyber-crime as a teenager is that Western companies and people could afford to lose money and that everything was covered by insurance anyway.

But when I speak to one of his early victims from the Jabber Zeus days, it is clear his attacks did have a harmful impact on innocent people.

Lieber's Luggage, a family-run business in Albuquerque, New Mexico, had $12,000 (£9,200) stolen in one swipe by the gang. Owner Leslee still recalls the shock years later.

"It was just disbelief and horror when the bank called because we had no idea what had happened, and the bank clearly didn't have any idea," she says.

While a modest sum, it was devastating for the business, as the money was used for paying rent, buying merchandise and paying staff.

They did not have any savings to fall back on and, to make matters worse, Leslee's elderly mother was in charge of the company accounts and she blamed herself until the theft was uncovered.

"We had all of those feelings, the anger, the frustration, the fear," she says.

When I ask them what they would like to say to the hackers responsible, they think it is futile to try to change the minds of these callous criminals.

"There's nothing that we could say that would affect him," Leslee says.

"I wouldn't give him the time of day," her husband Frank adds.

Penchukov says he did not think about the victims, and he does not seem to do so much now, either. The only sign of remorse in our conversation was when he talked about a ransomware attack on a disabled children's charity.

His only real regret seems to be that he became too trusting with his fellow hackers, which ultimately led to him and many other criminals being caught.

"You can't make friends in cyber-crime, because the next day, your friends will be arrested and they will become an informant," he says.

"Paranoia is a constant friend of hackers," he says. But success leads to mistakes.

"If you do cyber-crime long enough you lose your edge," he says, wistfully.

As if to highlight the disloyal nature of the cyber underworld, Penchukov says he deliberately avoided any further contact with his one-time Jabber Zeus collaborator and friend Maksim Yakubets after the Russian was outed and sanctioned in 2019 by Western authorities.

Penchukov says that he noticed a distinct change in the hacker community as people shunned working with Yakubets and many of his alleged Evil Corp associates.

Previously Penchukov and "Aqua", as Yakubets was known, had hung out in Moscow drinking and eating in luxury restaurants. "He had bodyguards, which I thought was strange - almost like he wanted to show off his wealth or something," he says.

Being ostracised from the cyber crime world did not deter Evil Corp though and last year, the UK's National Crime Agency accused other members of the Yakubets family of being involved in the decade-long crime spree, sanctioning 16 members of the organisation in total.

But unlike Penchukov, the chances of police collaring him or others in the gang seem low. With a $5m bounty out for information leading to his arrest, Yakubets and his alleged co-conspirators are unlikely to repeat Penchukov's mistake of leaving their country.

bbc.com
Joe TidyCyber correspondent, BBC World Service

Prepare to switch to offline systems in the event of a cyber-attack, firms are being advised.

People should plan for potential cyber-attacks by going back to pen and paper, according to the latest advice.

The government has written to chief executives across the country strongly recommending that they should have physical copies of their plans at the ready as a precaution.

A recent spate of hacks has highlighted the chaos that can ensue when hackers take computer systems down.

The warning comes as the National Cyber-Security Centre (NCSC) reported an increase in nationally significant attacks this year.

Criminal hacks on Marks and Spencer, The Co-op and Jaguar Land Rover have led to empty shelves and production lines being halted this year as the companies struggled without their computer systems.

Organisations need to "have a plan for how they would continue to operate without their IT, (and rebuild that IT at pace), were an attack to get through," said Richard Horne, chief executive of the NCSC.

Firms are being urged to look beyond cyber-security controls toward a strategy known as "resilience engineering", which focuses on building systems that can anticipate, absorb, recover, and adapt, in the event of an attack.

Plans should be stored in paper form or offline, the agency suggests, and include information about how teams will communicate without work email and other analogue work arounds.

These types of cyber attack contingency plans are not new but it's notable that the UK's cyber authority is putting the advice prominently in its annual review.

Although the total number of hacks that the NCSC dealt with in the first nine months of this year was, at 429, roughly the same as for a similar period last year, there was an increase in hacks with a bigger impact.

The number of "nationally significant" incidents represented nearly half, or 204, of all incidents. Last year only 89 were in that category.

A nationally significant incident covers cyber-attacks in the three highest categories in the NCSC and UK law enforcement categorisation model:

Category 1: National cyber-emergency.
Category 2: Highly significant incident.
Category 3: Significant incident.
Category 4: Substantial incident.
Category 5: Moderate incident.
Category 6: Localised incident.
Amongst this year's incidents, 4% (18) were in the second highest category "highly significant".

This marks a 50% increase in such incidents, an increase for the third consecutive year.

The NCSC would not give details on which attacks, either public or undisclosed, fall into which category.

But, as a benchmark, it is understood that the wave of attacks on UK retailers in the spring, which affected Marks and Spencer, The Co-op and Harrods, would be classed as a Significant incident.

One of the most serious attacks last year, on a blood testing provider, caused major problems for London hospitals. It resulted in significant clinical disruption and directly contributed to at least one patient death.

The NCSC would not say which category this incident would fall into.

The vast majority of attacks are financially motivated with criminal gangs using ransomware or data extortion to blackmail a victim into sending Bitcoins in ransom.

Whilst most cyber-crime gangs are headquartered in Russian or former Soviet countries, there has been a resurgence in teenage hacking gangs thought to be based in English-speaking countries.

So far this year seven teenagers have been arrested in the UK as part of investigations into major cyber-attacks.

As well as the advice over heightened preparations and collaboration, the government is asking organisations to make better use of the free tools and services offered by the NCSC, for example free cyber-insurance for small businesses that have completed the popular Cyber-Essentials programme.

'Basic protection'
Paul Abbott, whose Northamptonshire transport firm KNP closed after hackers encrypted its operational systems and demanded money in 2023, says it's no longer a case of "if" such incidents will happen, but when.

"We were throwing £120,000 a year at [cyber-security] with insurance and systems and third-party managed systems," Mr Abbott told BBC Radio 5 Live on Tuesday.

He said he now focuses on security, education and contingency - key to which involves planning what is needed to keep a business running in the event of an attack or outage.

"The call for pen and paper might sound old-fashioned, but it's practical," said Graeme Stewart, head of public sector at cyber-security firm Check Point, noting digital systems can be rendered "useless" once targeted by hackers.

"You wouldn't walk onto a building site without a helmet - yet companies still go online without basic protection," he added.

"Cybersecurity needs to be treated with the same seriousness as health and safety: not optional, not an afterthought, but part of everyday working life."

bbc.com
Josh Martinbusiness reporter

The carmaker says some of its customers' data has been stolen in a cyber-attack that targeted a third-party provider.

Renault UK has confirmed that some of its customers' data has been stolen in a cyber-attack that targeted a third-party data processing provider.

No customer financial data, such as passwords or bank account details, had been obtained, Renault said, but other personal data had been accessed and the carmaker warned customers to be vigilant.

The French-owned carmaker would not specify how many people could be affected "for ongoing security reasons" but said it did not anticipate any wider implications for the company, as none of Renault's own systems had been hacked.

It comes after rival Jaguar Land Rover and brewing giant Asahi have had production stopped by cyber-attacks on their systems.

Renault UK said affected people would be notified and that victims of the hack may include a wider pool of people who had entered competitions or shared data with the car company, without purchasing a vehicle.

The carmaker said the data that had been accessed by the cyber-attack included some or all of: customer names, addresses, dates of birth, gender, phone number, vehicle identification numbers and vehicle registration details.

A Renault spokesperson said: "The third-party provider has confirmed this is an isolated incident which has been contained, and we are working with it to ensure that all appropriate actions are being taken. We have notified all relevant authorities.

"We are in the process of contacting all affected customers, advising them of the cyber-attack and reminding them to be cautious of any unsolicited requests for personal information," they added.

Jaguar Land Rover was recently forced to stop production and take a £1.5bn loan underwritten by the government after being targeted by hackers at the end of August.

Earlier this year, M&S and the Co-Op were both hit by cybersecurity breaches that disrupted supply chains and customer orders, and accessed the data of shoppers.

Reporter Joe Tidy was offered money if he would help cyber criminals access BBC systems.

Like many things in the shadowy world of cyber-crime, an insider threat is something very few people have experience of.

Even fewer people want to talk about it.

But I was given a unique and worrying experience of how hackers can leverage insiders when I myself was recently propositioned by a criminal gang.

"If you are interested, we can offer you 15% of any ransom payment if you give us access to your PC."

That was the message I received out of the blue from someone called Syndicate who pinged me in July on the encrypted chat app Signal.

I had no idea who this person was but instantly knew what it was about.

I was being offered a portion of a potentially large amount of money if I helped cyber criminals access BBC systems through my laptop.

They would steal data or install malicious software and hold my employer to ransom and I would secretly get a cut.

I had heard stories about this kind of thing.

In fact, only a few days before the unsolicited message, news emerged from Brazil that an IT worker there had been arrested for selling his login details to hackers which police say led to the loss of $100m (£74m) for the banking victim.

I decided to play along with Syndicate after taking advice from a senior BBC editor. I was eager to see how criminals make these shady deals with potentially treacherous employees at a time when cyber-attacks around the world are becoming more impactful and disruptive to everyday life.

I told Syn, who had changed their name mid-conversation, that I was potentially interested but needed to know how it works.

They explained that if I gave them my login details and security code then they would hack the BBC and then extort the corporation for a ransom in bitcoin. I would be in line for a portion of that payout.

They upped their offer.

"We aren't sure how much the BBC pays you but what if you took 25% of the final negotiation as we extract 1% of the BBC's total revenue? You wouldn't need to work ever again."

Syn estimated that their team could demand a ransom in the tens of millions if they successfully infiltrated the corporation.

The BBC has not publicly taken a position on whether or not it would pay hackers but advice from the National Crime Agency is not to pay.

Still, the hackers continued their pitch.

bbc.com/ Jacqueline Howard

The pair were allegedly recruited by pro-Russian hackers and used a "wi-fi sniffer" on the Europol headquarters.

Two 17-year-old boys have been arrested on suspicion of "state interference" in the Netherlands, prosecutors say, in a case with reported links to Russian spying.

The pair were allegedly contacted by pro-Russian hackers on the messaging app Telegram, Dutch media reported.

One of the boys allegedly walked past the offices of Europol, Eurojust and the Canadian embassy in The Hague carrying a "wi-fi sniffer" - a device designed to identify and intercept wi-fi networks.

The teenagers appeared before a judge on Thursday, who ordered one boy be remanded in custody and the other placed on strict home bail conditions until a hearing, which is due to take place in the next two weeks.

The National Office of the Netherlands Public Prosecution Service confirmed court appearance, but told the BBC it could not provide details on the case due to the suspects' age and in "the interest of the investigation", which is ongoing.

One of the boy's father told Dutch newspaper De Telegraaf that police had arrested his son on Monday afternoon while he was doing his homework.

He said police told him that the arrest related to espionage and rendering services to a foreign country, the paper reports.

The teenager was described as being computer savvy and having a fascination for hacking, while holding a part-time job at a supermarket.

The Netherlands' domestic intelligence and security agency declined to comment on the case when approached by the BBC.

bbc.com
Imran Rahman-JonesTechnology reporter andJoe TidyCyber correspondent, BBC World Service

The National Crime Agency (NCA) said a man in his forties was arrested in West Sussex.

A person has been arrested in connection with a cyber-attack which has caused days of disruption at several European airports including Heathrow.

The National Crime Agency (NCA) said a man in his forties was arrested in West Sussex "as part of an investigation into a cyber incident impacting Collins Aerospace".

There have been hundreds of flight delays after Collins Aerospace baggage and check-in software used by several airlines failed, with some boarding passengers using pen and paper.

"Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing," said Paul Foster, head of the NCA's national cyber crime unit.

The man was arrested on Tuesday evening on suspicion of Computer Misuse Act offences and has been released on bail.

The BBC has seen an internal memo sent to airport staff at Heathrow about the difficulties software provider Collins Aerospace is having bringing their check-in software back online.

The US company appears to be rebuilding the system again after trying to relaunch it on Monday.

Collins Aerospace's parent company RTX Corporation told the BBC it appreciated the NCA's "ongoing assistance in this matter".

The US firm has not put a timeline on when it will be ready and is urging ground handlers and airlines to plan for at least another week of using manual workarounds.

At Heathrow, extra staff have been deployed in terminals to help passengers and check-in operators but flights are still experiencing delays.

On Monday, the EU's cyber-security agency said ransomware had been deployed in the attack.

Ransomware is often used to seriously disrupt victims' systems and a ransom is demanded in cryptocurrency to reverse the damage.

These types of attacks are an issue for organisations around the country, with organised cyber-crime gangs earning hundreds of millions of pounds from ransoms every year.

Days of disruption
The attack against US software maker Collins Aerospace was discovered on Friday night and resulted in disruption across many European airports, including in Brussels, Dublin and Berlin.

Flights were cancelled and delayed throughout the weekend, with some airports still experiencing effects of the delays into this week.

"The vast majority of flights at Heathrow are operating as normal, but we encourage passengers to check the status of their flight before travelling to the airport," Heathrow Airport said in a statement on its website.

Berlin Airport said on Wednesday morning "check-in and boarding are still largely manual", which would result in "longer processing times, delays, and cancellations by airlines".

While Brussels Airport advised passengers to check in online before arriving at the airport.

Cyber-attacks in the aviation sector have increased by 600% over the past year, according to a report by French aerospace company Thales.

bbc.com Joe TidyCyber correspondent and
Tabby Wilson

The EU's cyber security agency says criminals are using ransomware to cause chaos in airports around the world.

Several of Europe's busiest airports have spent the past few days trying to restore normal operations, after a cyber-attack on Friday disrupted their automatic check-in and boarding software.

The European Union Agency for Cybersecurity, ENISA, told the BBC on Monday that the malicious software was used to scramble automatic check-in systems.

"The type of ransomware has been identified. Law enforcement is involved to investigate," the agency said in a statement to news agency Reuters.

It's not known who is behind the attack, but criminal gangs often use ransomware to seriously disrupt their victims' systems and demand a ransom in bitcoin to reverse the damage.

The BBC has seen internal crisis communications from staff inside Heathrow Airport which urges airlines to continue to use manual workarounds to board and check in passengers as the recovery is ongoing.

Heathrow said on Sunday it was still working to resolve the issue, and apologised to customers who had faced delayed travel.

It stressed "the vast majority of flights have continued to operate" and urged passengers to check their flight status before travelling to the airport.

The BBC understands about half of the airlines flying from Heathrow were back online in some form by Sunday - including British Airways, which has been using a back-up system since Saturday.
Continued disruption

The attack against US software maker Collins Aerospace was discovered on Friday night and resulted in disruption across several airports on Saturday.

While this had eased significantly in Berlin and London Heathrow by Sunday, delays and flight cancellations remained.

Brussels Airport, also affected, said the "service provider is actively working on the issue" but it was still "unclear" when the issue would be resolved.

They have asked airlines to cancel nearly 140 of their 276 scheduled outbound flights for Monday, according to the AP news agency.

Meanwhile, a Berlin Airport spokesperson told the BBC some airlines were still boarding passengers manually and it had no indication on how long the electronic outage would last.

bbc.com 12.09 Theo LeggettBusiness correspondent

The past two weeks have been dreadful for Jaguar Land Rover (JLR), and the crisis at the car maker shows no sign of coming to an end.

A cyber attack, which first came to light on 1 September, forced the manufacturer to shut down its computer systems and close production lines worldwide.

Its factories in Solihull, Halewood, and Wolverhampton are expected to remain idle until at least Wednesday, as the company continues to assess the damage.

JLR is thought to have lost at least £50m so far as a result of the stoppage. But experts say the most serious damage is being done to its network of suppliers, many of whom are small and medium sized businesses.

The government is now facing calls for a furlough scheme to be set up, to prevent widespread job losses.

David Bailey, professor of business economics at Birmingham Business School, told the BBC: "There's anywhere up to a quarter of a million people in the supply chain for Jaguar Land Rover.

"So if there's a knock-on effect from this closure, we could see companies going under and jobs being lost".

Under normal circumstances, JLR would expect to build more than 1,000 vehicles a day, many of them at its UK plants in Solihull and Halewood. Engines are assembled at its Wolverhampton site. The company also has large car factories in China and Slovakia, as well as a smaller facility in India.

JLR said it closed down its IT networks deliberately in order to protect them from damage. However, because its production and parts supply systems are heavily automated, this meant cars simply could not be built.

Sales were also heavily disrupted, though workarounds have since been put in place to allow dealerships to operate.

Initially, the carmaker seemed relatively confident the issue could be resolved quickly.

Nearly two weeks on, it has become abundantly clear that restarting its computer systems has been a far from simple process. It has already admitted that some data may have been seen or stolen, and it has been working with the National Cyber Security Centre to investigate the incident.

Experts say the cost to JLR itself is likely to be between £5m and £10m per day, meaning it has already lost between £50m and £100m. However, the company made a pre-tax profit of £2.5bn in the year to the end of March, which implies it has the financial muscle to weather a crisis that lasts weeks rather than months.

'Some suppliers will go bust'
JLR sits at the top of a pyramid of suppliers, many of whom are highly dependent on the carmaker because it is their main customer.

They include a large number of small and medium-sized firms, which do not have the resources to cope with an extended interruption to their business.

"Some of them will go bust. I would not be at all surprised to see bankruptcies," says Andy Palmer, a one-time senior executive at Nissan and former boss of Aston Martin.

He believes suppliers will have begun cutting their headcount dramatically in order to keep costs down.

Mr Palmer says: "You hold back in the first week or so of a shutdown. You bear those losses.

"But then, you go into the second week, more information becomes available – then you cut hard. So layoffs are either already happening, or are being planned."

A boss at one smaller JLR supplier, who preferred not to be named, confirmed his firm had already laid off 40 people, nearly half of its workforce.

Meanwhile, other companies are continuing to tell their employees to remain at home with the hours they are not working to be "banked", to be offset against holidays or overtime at a later date.

There seems little expectation of a swift return to work.

One employee at a major supplier based in the West Midlands told the BBC they were not expecting to be back on the shop floor until 29 September. Hundreds of staff, they say, had been told to remain at home.

When automotive firms cut back, temporary workers brought in to cover busy periods are usually the first to go.

There is generally a reluctance to get rid of permanent staff, as they often have skills that are difficult to replace. But if cashflow dries up, they may have little choice.

Labour MP Liam Byrne, who chairs the Commons Business and Trade Committee, says this means government help is needed.

"What began in some online systems is now rippling through the supply chain, threatening a cashflow crunch that could turn a short-term shock into long-term harm", he says.

"We cannot afford to see a cornerstone of our advanced manufacturing base weakened by events beyond its control".

The trade union Unite has called for a furlough system to be set up to help automotive suppliers. This would involve the government subsidising workers' pay packets while they are unable to do their jobs, taking the burden off their employers.

"Thousands of these workers in JLR's supply chain now find their jobs are under an immediate threat because of the cyber attack," says Unite general secretary, Sharon Graham.

"Ministers need to act fast and introduce a furlough scheme to ensure that vital jobs and skills are not lost while JLR and its supply chain get back on track."

Business and Trade Minister Chris Bryant said: "We recognise the significant impact this incident has had on JLR and their suppliers, and I know this is a worrying time for those affected.

"I met with the chief executive of JLR yesterday to discuss the impact of the incident. We are also in daily contact with the company and our cyber experts about resolving this issue."

bbc.com Chris VallanceSenior Technology Reporter andTheo Leggett International Business Correspondent 3.09.2025

Staff were sent home and the company shut down its IT systems in an effort to minimise the damage done.

A cyber-attack has "severely disrupted" Jaguar Land Rover (JLR) vehicle production, including at its two main UK plants.

The company, which is owned by India's Tata Motors, said it took immediate action to lessen the impact of the hack and is working quickly to restart operations.

JLR's retail business has also been badly hit at a traditionally a popular time for consumers to take delivery of a new vehicle - but there is no evidence any customer data had been stolen, it said.

The attack began on Sunday as the latest batch of new registration plates became available on Monday, 1 September.

The BBC understands that the attack was detected while in progress, and the company shut down its IT systems in an effort to minimise any damage.

Workers at the company's Halewood plant in Merseyside were told by email early on Monday morning not to come into work while others were sent home, as first reported by the Liverpool Echo.

The BBC understands the attack has also hit JLR's other main UK manufacturing plant at Solihull, with staff there also sent home.

The company said: "We took immediate action to mitigate its impact by proactively shutting down our systems. We are now working at pace to restart our global applications in a controlled manner."

It added: "At this stage there is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted."

It is not yet known who is responsible for the hack, but it follows crippling attacks on prominent UK retail businesses including Marks & Spencer and the Co-op.

In both cases, the hackers sought to extort money.

While JLR's statement makes no mention of a cyber-attack, a separate filing by parent company Tata Motors to the Bombay Stock Exchange referred to an "IT security incidence" causing "global" issues.

The National Crime Agency said: "We are aware of an incident impacting Jaguar Land Rover and are working with partners to better understand its impact."

In 2023, as part of an effort to "accelerate digital transformation across its business", JLR signed a five-year, £800m deal with corporate stablemate Tata Consultancy Services to provide cybersecurity and a range of other IT services.

The halt in production is a fresh blow to the firm which recently revealed a slump in profits attributed to increasing in costs caused by US tariffs.

BBC - Transport company KNP forced to shut down after international hacker gangs target thousands of UK businesses.
One password is believed to have been all it took for a ransomware gang to destroy a 158-year-old company and put 700 people out of work.

KNP - a Northamptonshire transport company - is just one of tens of thousands of UK businesses that have been hit by such attacks.

Big names such as M&S, Co-op and Harrods have all been attacked in recent months. The chief executive of Co-op confirmed last week that all 6.5 million of its members had had their data stolen.

In KNP's case, it's thought the hackers managed to gain entry to the computer system by guessing an employee's password, after which they encrypted the company's data and locked its internal systems.

KNP director Paul Abbott says he hasn't told the employee that their compromised password most likely led to the destruction of the company.

"Would you want to know if it was you?" he asks.

"We need organisations to take steps to secure their systems, to secure their businesses," says Richard Horne CEO of the National Cyber Security Centre (NCSC) - where Panorama has been given exclusive access to the team battling international ransomware gangs.

One small mistake
In 2023, KNP was running 500 lorries – most under the brand name Knights of Old.

The company said its IT complied with industry standards and it had taken out insurance against cyber-attack.

But a gang of hackers, known as Akira, got into the system leaving staff unable to access any of the data needed to run the business. The only way to get the data back, said the hackers, was to pay