Why JLR’s CISO Mandated In-Person Password Resets After Cyber-Attack

In the wake of a significant cyber-attack, Jaguar Land Rover’s former Chief Information Security Officer, Ashish Shrestha, made a controversial decision: he required more than 30,000 employees to reset their passwords in person. Speaking at Infosecurity Europe, Shrestha explained the rationale behind this hands-on approach, which prioritized security over convenience.

The directive came immediately after the breach, when the organization faced the daunting task of containing the threat and restoring trust. Shrestha argued that in-person password resets were essential to ensure that the new credentials were created securely, without the risk of phishing or social engineering that often accompanies remote or automated systems. By bringing employees face-to-face, the security team could verify identities, educate staff on emerging threats, and enforce stronger password policies in real time.

This method also allowed JLR to assess employee awareness and provide immediate feedback. Rather than relying on a generic email or portal, which could be intercepted or ignored, the in-person approach created a controlled environment where every reset was verified. Shrestha noted that while this strategy was logistically challenging and time-consuming, it significantly reduced the likelihood of further compromise through weak or reused passwords.

The decision underscores a broader lesson for cybersecurity leaders: when speed and certainty are critical, old-fashioned human interaction can be more effective than digital automation. For JLR, the trade-off between convenience and security was clear, and the in-person mandate proved to be a decisive step in regaining control after the attack.