In late August 2025, Jaguar Land Rover (JLR) was hit by a major cyberattack that
forced the company to shut down its computer networks and pause vehicle production.
JLR announced on September 2nd that it had been impacted by a cyber incident and
immediately shut down systems to contain the breach. At first the company said there
was no evidence any customer data had been stolen, but it confirmed that its retail and
factory operations were severely disrupted. Within days all the company’s factories in
the UK (Halewood, Solihull, etc.) and other countries were halted, and thousands of
employees were told to stay home. Production remained down for weeks as JLR
investigated the attack.
Nature of the Attack
JLR has not officially confirmed exactly what kind of malware or intrusion caused the
shutdown, but security experts say it resembled a ransomware-style attack. In
ransomware incidents hackers typically lock or encrypt a company’s computers and
demand a ransom. Even without a public ransom demand, the clues point to a similarly
destructive intrusion. Cybersecurity analysts note that the decision by JLR to power off
critical systems suggests the attackers had deeply penetrated the network. Almost
immediately after the incident, a hacking gang calling itself Scattered Lapsus$ Hunters
said they did it. The name suggests that the attack may be orchestrated by a coalition of well-known cybercriminal groups.
It has been reported that the attackers probably entered the company by phishing or
using stolen credentials, which is a typical way of hacking into corporations. The
hackers apparently floated fast within the JLR IT systems once inside and damaged
manufacturing software and parts-supply portals. In brief, it was a highly advanced
JLR cyber attack that targeted the core of IT infrastructure of the company, and probably even
some of its manufacturing controls.
Impact on Operations and Data
The cyberattack had huge effects on JLR’s business. For three weeks or more, the
carmaker’s assembly lines were completely silent. Normally, JLR factories build over
1,000 vehicles per day, so the pause cost the company tens of millions of pounds each
week. The British government admitted the breach was having a significant impact on
JLR and its wider supply chain.
Many of JLR’s hundreds of parts suppliers had to slow or stop their own work, leaving
parts makers and subcontractors laying off workers or sending them on unpaid leave.
Unions warned that supply chain workers were being laid off in the hundreds, and
thousands of jobs were at risk if the shutdown continued.
The timing was also critical: the attack was at a time when the new-vehicle registration
period in the UK was starting, and dealers were not in a position to be able to register
and deliver cars as scheduled. The disruption increased delays and rescheduling of
handovers to some customers.
On the data side, initially JLR claimed that the information about customers was secure.
However, with the increase in the investigations the company realized that certain data
was interfered with and reported the matter to the regulators. By late September, JLR
confirmed that personal and employee data were stolen in the breach.
Company Response and Recovery
Following the attack, Jaguar Land Rover also started its cybersecurity response team
immediately and engaged external security experts to mitigate the attack. The company
immediately turned off all the IT systems within hours of learning about the attack to
avoid further infiltration.
JLR also worked closely with law enforcement and the UK’s National Cyber Security
Centre (NCSC) during the investigation. The company was very transparent during the
process, and it regularly released public updates.
● On September 10, JLR stated that forensic analysis was ongoing and confirmed
that “some data has been affected.” Regulators and potentially impacted
individuals were notified.
● On September 16, the automaker announced that the production pause would
continue until September 24, allowing more time to ensure systems could safely
restart.
By the final week of September, JLR began a controlled restart of its operations.
Systems were restored gradually and securely:
● The Global Parts Logistics Centre, which distributes parts to dealerships, was
one of the first to go back online.
● IT capacity was increased to clear a large backlog of supplier invoices.
● Financial and registration systems were restored, allowing dealers to resume
processing vehicle sales.
Long-Term Implications
The Jaguar Land Rover cyberattack served as a significant alert to the car industry.
Being one of the largest carmakers in Britain, this case of JLR demonstrated how fragile
most contemporary digital supply chains may become. Although the cost that JLR had
incurred in IT security by engaging Tata Consultancy Services was already about £800
million, the attack ensured that no company can completely be safe against cyber
threats.
Following this attack, the cybersecurity of numerous carmakers is set to intensify. They
can deploy zero-trust systems, disconnect factory networks and IT systems, and
scrutinize vendors. There is also increased vigilance by governments and regulators.
British politicians even referred to the cyber attack as a cyber siege on the
manufacturing industry in the UK. This indicates that there may be more public support
of cyber resilience in key industries in the future as implied by the financial assistance
to JLR by the UK government.
In the case of JLR, losses were enormous in sales and inventory in hundreds of millions
and quarterly results were recorded to be declining. The firm has begun a slow recovery
process but it will be months before the company can clear the backlog of vehicles that
were stalled due to the shutdown.
Source:
https://www.cybersecuritydive.com/news/jaguar-land-rover-restoration-cyberattack/761
251/
https://en.wikipedia.org/wiki/Jaguar_Land_Rover_cyberattack
https://media.jaguarlandrover.com/news/2025/09/statement-cyber-incident
JLR Cyberattack
