A cyber security specialist has described the automotive sector as “an industry under attack” in which hacks have become “business as usual”. 

Mark Rodbert, CEO at Idax Software, told Autocar Business that the industry was attractive to cyber criminals because of its high staff turnover, which created weak spots when permissions and access from former employees remained active, and the number of finance applications processed by dealers, which were obvious targets for ransomware attacks due to high volumes of customer data. 

“Somebody, somewhere, has decided that there’s a vulnerability in automotive,” he said. "The car industry has a huge staff turnover – particularly dealer groups. Whenever you have that kind of churn, it creates vulnerability around personnel and makes it easier to get malicious insiders into an organisation.

"The second thing is that dealer groups, particularly, are now basically financial institutions where a car is the physical asset, because most cars are now sold with a financial product attached."

Alistair Wesson (below), director of Mongoose Cyber Security, explained why old login details were such a risk. He said: “The more you leave forgotten, the bigger your attack surface. You basically want the lowest possible number of things to attack, so that means having the fewest permissions and web servers you possibly can.

“Microsoft accounts are held on something called Active Directory. In layman’s terms, that means that you can sit at one computer and log in, then sit at another computer and log in and still get to your stuff. That is the number one target – the holy grail for all hackers. If you can compromise a company’s Active Directory, you’re in.” 

According to Rodbert, advances in technology and AI had dramatically increased the scale of attacks but done little for their sophistication. 

Rodbert said: “Hackers will contact help desks and use a combination of psychological techniques. That includes bullying: ‘Do you know who I am? I’ve got a really important thing to do. I’m working from home and need access. This has got to be done in the next 10 minutes or the board will sack me.’ They play on that position to get to somebody in a lower-status job.  

“I’m a firm believer that all of these attacks and breaches are just pretty old-fashioned con artistry with new technology, but what that new technology gives you is enormous scale. Think of three-card monte: that’s exactly what they’re doing. It’s the urgency, and all the psychological tricks that go along with it. The difference is they’re doing it to 100,000 people at a time… but the great big trawler doesn’t care what size the fish is.”

In April, a judge ruled that around 15,000 Scottish motorists could pursue compensation claims against dealer group Arnold Clark after their data was leaked on the dark web following a cyber attack in December 2022. The ruling was made in the Scottish Court of Session, which heard evidence that the group failed to protect customers’ personal details. 

Citing comments from former Arnold Clark chief executive and managing director Eddie Hawthorne, who stepped down in March 2025, Rodbert (below) said of the attack: “You can protect the wall all you like, but the bad guys are already in the building. Eddie said he reckoned they were ‘in his closet’ for about six months before they attacked. 

“Their attack happened over Christmas, and two weeks afterwards, they still hadn’t heard anything from the ransomware attackers. When they did, they even sent over an FAQ page… [Hacking] is an industry and the reason it took them two or three weeks to get in touch was because their sales function – the people who’d done the attack – had written to too much business. They’d been too successful with too many companies over that Christmas period, and the customer support function couldn’t keep up.”

Cyber attacks often increase over Christmas, when hackers take advantage of lower staffing levels and longer response times. 

But the risk is real at all times and the potential cost high. The JLR cyber attack in August 2025 caused the manufacturer to cease production in September. It reportedly led to the manufacturer posting a £485 million loss before tax and exceptional items, a 24% drop in revenues for the quarter and a 0.17% reduction in the UK’s economic output in September, according to the Office for National Statistics.  

In October, Bloomberg reported that two cyber security companies alerted JLR when they discovered breaches in its data weeks before the attack. A similar report in the Jerusalem Post said Deep Specter – one of the firms that allegedly flagged the breach – received no response from the manufacturer after contacting it both before and after the hack. 

Rodbert’s advice to dealers and OEMs was regular vigilance around IT permissions and access.

“Every time you take away access from a single person, you are reducing the risk,” he said, “not by much, but by a little bit… There’s no silver bullet or technology you can buy – not even ours – that will protect you. It’s about doing the simple things well.

“You might just have to take Friday mornings to do your security stuff and make sure Fred, who moved departments last month, had his access taken away. You might end up selling just a few fewer cars, but [if you don’t] you might end up not being here.”