Jaguar Land Rover hit by cyber incident during peak season for UK car sales
"There is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted."
Jaguar Land Rover has been hit by a "cyber incident" that has "severely disrupted" its retail and vehicle production facilities.
The company allegedly wrote to staff at a plant in Merseyside at 4.30 am on Monday morning, telling them not to go to work that day. Another facility in Solihull has also reportedly been impacted.
It is not yet known whether Scattered Spider or another prominent hacking group is responsible for the incident, which comes in the wake of several high-profile incidents involving British high street giants.
JLR has not revealed whether the incident involved ransomware - although security professionals indicated that its timing suggests knowledge of the automotive industry's sales cycles and therefore indicates a sophisticated threat actor may be involved.
In a statement, JLR, which is owned by India's Tata Motors, said: "JLR has been impacted by a cyber incident. We took immediate action to mitigate its impact by proactively shutting down our systems.
"We are now working at pace to restart our global applications in a controlled manner. At this stage there is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted."
Global manufacturing sector at risk
The attack took place during an important moment for the UK automotive industry: the issuing of new number plates on September 1, which typically prompts a sales increase as people rush to buy new motors.
Jon Abbott, CEO and founder of ThreatAware, said the timing was not likely to have been an accident.
He said: "The attacker is likely to have deliberately targeted Jaguar Land Rover during their busiest period of the year, when new registration plates are launched, to gain further leverage. The attack shows the real consequences for people in such incidents. Disruption here doesn’t just affect IT systems but also impacts the daily lives of people who no longer are able to go to work.
"Cyber resilience is fundamental to overall business resilience, and the cost of disruption can be hugely damaging. In a sector so dependent on operational uptime, no manufacturer will want to become the focus of future cyber incident headlines.
"Protecting uptime requires a focus on the security fundamentals: visibility across the entire production environment – including both legacy and modern systems, strong cyber hygiene, and robust user validation."
Unfortunately, modern manufacturing is often terrifyingly vulnerable to attacks, particularly if it relies on a global supply chain.
READ MORE: Dark web dealers halt US shipments as Trump scraps "catastrophic" border loophole
Dray Agha, senior manager of security operations at Huntress, said, "A single IT system attack can halt a multi-billion-pound physical production line, directly impacting sales.
"Cybercriminals know this, and many leverage the stopped clock of business functions as the leverage they need to force capitulation of ransomware demands. It is not known if ransomware was involved in the Jaguar Land Rover attack, but ransomware actors target manufacturers for a reason.
"While the quick shutdown of systems was a textbook damage limitation tactic that likely prevented a data breach, it underscores the immense recovery challenge companies now face in safely rebooting complex, interconnected operations after an attack.
"In 2025, there are still companies that wait until a devastating cyberattack to invest in a robust security posture. Fortunately, Jaguar Land Rover appears to have had processes and procedures in place to 'lessen the effect' and return to business as usual.
Is the JLR incident part of a campaign targeting the automotive sector?
Scattered Spider is known to focus its attention on entire industries, ranging from insurance to travel as well as its famous high street campaigns.
Could the threat actor behind the JLR attack target other companies automotive sector?
James Neilson, SVP International at OPSWAT, said: "With operations becoming more digitised, especially with the merging of IT and OT zones, automotive companies are more vulnerable to cyberattacks.
"The attack has hit Jaguar Land Rover during one of their busiest times of the year. This type of situation gives attackers substantial leverage over their victims.
"Jaguar Land Rover confirmed that they shut down systems to mitigate the impact, which highlights the struggle organisations face in preventing attackers from spreading across their networks. This is why securing data flows between systems, employees, and supply chains is critical.
"For any organisation, measures around access credentials, malware detection, and data sanitisation are crucial in limiting the movement of attackers and protecting operational uptime."
READ MORE: Anthropic shares the criminal confessions of Claude, warns of growing "vibe hacking" threat
Nivedita Murthy, senior security consultant at Black Duck, shared the following advice for companies hit by similar attacks: "The first step after detecting a security incident is containment.
"Jaguar did the right thing by shutting down its IT system before the attack spread further and caused damage.
"As part of the post-incident activity, they would be able to identify how the attackers were able to access the systems and take advantage of them.
"This incident is another reminder that emphasises the need to work on securing business operations as well as customer data to ensure smooth production and uncompromised trust in software, as attackers are increasingly targeting retail operators to access customer base information.
"People within an organisation tend to be the weakest links, and any information gained on customers could be used for future phishing attacks or scams. The fraud industry is thriving, and more and more people are falling victim due to the fact that a lot of information on customer activity is available online."
Do you have a story or insights to share? Get in touch and let us know.
