Jaguar Land Rover (JLR), the iconic British luxury car manufacturer owned by Tata Motors, is grappling with the aftermath of a major cyberattack that has brought its global production lines and retail operations to a standstill. The incident, which began on September 1, 2025, forced the company to proactively shut down its IT systems, halting manufacturing at key sites in Merseyside and Solihull in the UK, as well as at international facilities. The disruption has rippled through JLR’s tightly integrated supply chain, preventing dealerships from registering new vehicles and delivering cars to customers—a blow that could not have come at a worse time, coinciding with the highly anticipated release of new car registration plates.
According to the BBC, a group of young, English-speaking hackers calling themselves "Scattered Lapsus$ Hunters" has claimed responsibility for the attack. The group, which has also been linked to previous high-profile cyber incidents involving UK retailers such as Marks & Spencer (M&S), Co-op, and Harrods earlier this year, posted screenshots on Telegram purportedly showing internal JLR IT network information. In a taunting message, the hackers wrote, “Where is my new car, Land Rover,” while sharing what appeared to be internal troubleshooting instructions and computer logs from JLR’s systems. Security researcher Kevin Beaumont told the BBC, “Based on the information provided by the attackers and open source intelligence, the attack has access to JLR’s internal systems and network.”
JLR has responded with swift containment measures. “We took immediate action to mitigate its impact by proactively shutting down our systems,” the company stated. “We are now working at pace to restart our global applications in a controlled manner. At this stage there is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted.” The company is working with external cybersecurity experts and the Information Commissioner’s Office is currently assessing the incident, as reported by BBC.
While JLR has not confirmed the exact nature of the breach, cybersecurity analysts believe the attackers exploited a combination of two SAP NetWeaver vulnerabilities (CVE-2025-31324 and CVE-2025-42999) to gain administrative access and execute commands within the company’s network. The group claiming responsibility, known as “Rey” on Telegram and associated with collectives like Scattered Spider, Lapsus$, and ShinyHunters, posted evidence that aligns with these technical exploits, according to security reports cited by BizClik.
The operational and financial repercussions have been immediate and severe. Each hour of downtime in the automotive sector is estimated to cost upwards of £1.6 million in lost output and sales, according to Tim Grieveson, CISO at ThingsRecon. “This cyberattack isn’t just an operational setback. It is a revenue issue across the entire chain. Every day of halted production means fewer cars to sell, while dealers are losing immediate income from being unable to register or deliver vehicles,” Grieveson explained. For JLR, the priority now is to quantify and communicate the financial exposure quickly, both in terms of missed sales and delayed cash flow. For dealers, the focus is on customer management and pushing for contingency support from the manufacturer. “The real risk is longer-term damage to customer confidence if remediation isn’t swift and transparent,” Grieveson warned.
Dealerships have been especially hard hit, as they are unable to register new vehicles—a legal requirement for delivery—leaving customers in the lurch during a critical sales window. Staff and partners described significant delays, with some systems still being restored days after the initial shutdown, as reported by BizClik. JLR has stated that its teams are working through a phased restart of operations, but the full extent of the disruption remains unclear.
The incident underscores the growing cyber risks facing the automotive industry, where highly digitized operations and interconnected supply chains make manufacturers particularly vulnerable. “This incident highlights the critical vulnerability of modern manufacturing, where a single IT system attack can halt a multi-billion-pound physical production line, directly impacting sales, especially during a key period like a new registration month,” said Dray Agha, Senior Manager of Security Operations at Huntress, in remarks to BizClik. While JLR’s quick shutdown of systems was a textbook damage limitation tactic, Agha noted that the real challenge now lies in safely rebooting complex, interconnected operations after an attack.
Experts emphasize that cybercriminals are increasingly targeting operational technology (OT) alongside traditional IT systems, aiming for maximum disruption rather than just data theft. Katie Barnett, Director of Cyber Security at Toro Solutions, told BizClik, “The recent JLR cyber incident underscores the critical importance of robust cyber security, especially when protecting the intricate supply chains that underpin modern manufacturing. Early detection of supply chain vulnerabilities is vital to minimising the impact of such breaches.” Barnett stressed the need for continued investment in third-party risk and resilience audits, real-time monitoring, and rapid response strategies to ensure operational integrity and customer trust.
The attack on JLR is part of a broader pattern in 2025, with major brands like M&S, Co-op, Harrods, Adidas, and Pandora all experiencing disruptive cyber incidents resulting in financial losses and operational paralysis. The BBC reported that, in the case of M&S, a cyberattack cost the company an estimated £300 million in lost sales and supply chain disruption. Co-op faced attempted ransomware breaches that forced system shutdowns across thousands of stores, while Harrods managed to avert a breach but had to restrict internet access and shut down select systems as a precaution.
These incidents highlight how interdependent and digitized business operations have become, making any disruption potentially devastating. Shankar Haridas, Head of UKI at ManageEngine, told BizClik, “These back-to-back security incidents, especially on major global brands, is definitely a matter of concern. The impact on UK businesses is profound and increasingly concerning. While businesses continue to invest heavily in frontline defences, attackers are finding new ways in – exploiting weak links in digital supply chains or infiltrating through trusted vendors. With the rise of AI, the threat is reimagined like never before and driving an ever greater velocity of attacks.”
For JLR, the road to recovery will require not only technical remediation but also transparent communication with customers and partners to restore confidence. Nivedita Murthy, Senior Security Consultant at Black Duck, emphasized, “Jaguar did the right thing by shutting down its IT system before the attack spread further and caused damage. As part of the post-incident activity, they would be able to identify how the attackers were able to access the systems and take advantage of them. This incident is another reminder to retailers that emphasises the need to work on securing business operations as well as customer data to ensure smooth production and uncompromised trust.”
As JLR and other affected companies work to restore normal operations, the message from cybersecurity professionals is clear: robust, proactive security measures and rapid incident response are no longer optional—they are essential for survival in an increasingly digitized and interconnected business landscape.
