Matty wrote: Wed Sep 17, 2025 10:01 pm
M&S, Co-Op, Harrods and JLR all have their IT provision via Tata Consultancy Services (TCS). All companies were hit by the same cyber group. I'm not suggesting there is a pattern here, obviously.
I've a lot of sympathy for the workers and the affected 3rd party suppliers - however the fact that Unite are suggesting the tax payer should bail everyone out all because those companies chose to outsource their IT provision to increase margins? How about Tata covers all the costs? Four of their companies have been compromised, and TCS netted $5.7billion last year. They can pay it for their shitty cyber practices.
If I install a bathroom in your house, and it leaks through your ceilings and destroys your house, I (well the company I work for) is liable to sort it out, either from their own pocket or via our public liability insurance.
It seems baffling that there’s not some clause in the contracts that states an IT security contractor is liable if they fail to secure your IT
From my limited knowledge it seems more complex than that. Eg an employee clicking a dodgy link giving access to the hackers. So in your case it would be like someone leaving a tap open and flooding the house and then wanting to claim from your company
There are also many other scenarios where an IT consultancy has discovered a vulnerability and suggested a fix to be told by the customer they have no budget and will accept the risk.
If I install a bathroom in your house, and it leaks through your ceilings and destroys your house, I (well the company I work for) is liable to sort it out, either from their own pocket or via our public liability insurance.
It seems baffling that there’s not some clause in the contracts that states an IT security contractor is liable if they fail to secure your IT
From my limited knowledge it seems more complex than that. Eg an employee clicking a dodgy link giving access to the hackers. So in your case it would be like someone leaving a tap open and flooding the house and then wanting to claim from your company
There are also many other scenarios where an IT consultancy has discovered a vulnerability and suggested a fix to be told by the customer they have no budget and will accept the risk.
Also this. If that is the case they better have their evidence to hand (on either side, although JLR might struggle to access it).
Re: Jaguar?
Posted: Thu Sep 18, 2025 11:57 am
by Beany
DeskJockey wrote: Thu Sep 18, 2025 9:41 am
BMW might be next...
It'd be quite, quite funny if the hacker group just happen to know a logic hole in Tatas security methodology, used that to get in via the partnership, and then pivoted to other parts of BMWs network.
I mean, it wouldn't be funny for BMW. Funny for those of us who have dealt with these massive consultancies, and have seen the laughably poor shit they sometimes do, more so.
Re: Jaguar?
Posted: Thu Sep 18, 2025 12:05 pm
by Mito Man
Is there a credible threat that hackers can get into cars and remotely make them all drive full throttle into a wall? Just wondering what the security system on those must be like and any EV sold recently is capable of operating remotely…
Re: Jaguar?
Posted: Thu Sep 18, 2025 12:07 pm
by Beany
I mean, unless BMW were putting in remote control to the cars, then no.
It's not Terminator 3 FFS.
Re: Jaguar?
Posted: Thu Sep 18, 2025 12:11 pm
by Mito Man
But you can turn on, move the car etc via the phone app. Surely it isn’t too far fetched to infiltrate that system?
Re: Jaguar?
Posted: Thu Sep 18, 2025 12:16 pm
by Beany
Mito Man wrote: Thu Sep 18, 2025 12:11 pm
But you can turn on, move the car etc via the phone app. Surely it isn’t too far fetched to infiltrate that system?
It's hugely far fetched, given that all the group are claiming they have is 'audit' documentation.
Cybernews Senior Information Security Researcher Aras Nazarovas explained that "we need to wait until Everest releases a sample of the alleged solen data to get a better idea of the scope of the breach.”
However, Nazarovas points out that in the group’s leak post, “they mention the data is audit-related, which could mean lots of sensitive documents, but could also be a mistranslation, which is common for Everest.”
Re: Jaguar?
Posted: Thu Sep 18, 2025 12:28 pm
by Mito Man
Not in this specific case but more as a general thought!
Re: Jaguar?
Posted: Thu Sep 18, 2025 12:36 pm
by Beany
Most cars don't have the capability to be remotely controlled as in most places, that's illegal on the public road, so any control mechanisms are local - IE the feedback is done from sensors and cameras locally, not fed upstream to a server, then commands sent back - for a start, the latency is a problem.
I'm not an automotive engineer, but I am Beany, and as such speaking with authority on matters on which I have no experience is my key skill.
There is no chance a hack like this could cause your BMW to drive into a wall.
For Teslas and Waymos, there's a greater risk, as they have specific setups to allow remote control - but I'd be willing to bet they have pretty heavy additional steps to allow this to happen - IE having to use a physical security key (like a Yubikey, not an actual lock and key) on a terminal before you can take remote control.
I have to enter a password, stored on a seperate system with a seperate login, before I can get elevated rights on a customers basic web server, for example. And that's just so I can bounce the web server software.
That's not physically possible by 'hacking', by someone wearing a dark hoodie with the hood up indoors, behind three monitors with two keyboards where the password is always swordfish, etc.
Re: Jaguar?
Posted: Thu Sep 18, 2025 12:41 pm
by mik
Mito Man wrote: Thu Sep 18, 2025 12:28 pm
Not in this specific case but more as a general thought!
Well it wouldn't be the first time!
Re: Jaguar?
Posted: Thu Sep 18, 2025 12:46 pm
by Mito Man
Well that’s cleared up.
Re: Jaguar?
Posted: Thu Sep 18, 2025 12:49 pm
by V8Granite
Beany wrote: Thu Sep 18, 2025 12:36 pm
Most cars don't have the capability to be remotely controlled as in most places, that's illegal on the public road, so any control mechanisms are local - IE the feedback is done from sensors and cameras locally, not fed upstream to a server, then commands sent back - for a start, the latency is a problem.
I'm not an automotive engineer, but I am Beany, and as such speaking with authority on matters on which I have no experience is my key skill.
There is no chance a hack like this could cause your BMW to drive into a wall.
For Teslas and Waymos, there's a greater risk, as they have specific setups to allow remote control - but I'd be willing to bet they have pretty heavy additional steps to allow this to happen - IE having to use a physical security key (like a Yubikey, not an actual lock and key) on a terminal before you can take remote control.
I have to enter a password, stored on a seperate system with a seperate login, before I can get elevated rights on a customers basic web server, for example. And that's just so I can bounce the web server software.
That's not physically possible by 'hacking', by someone wearing a dark hoodie with the hood up indoors, behind three monitors with two keyboards where the password is always swordfish, etc.
We've seen Speed 2, we know what's possible!!
Dave!
Re: Jaguar?
Posted: Thu Sep 18, 2025 1:22 pm
by IanF
Everest mistranslation: so it could be Audi-related? And they’re trying to sell it to BMW..
