Jaguar Land Rover (JLR), the iconic British carmaker owned by Tata Motors, is facing one of the most significant crises in its history after a sweeping cyber attack brought its global operations to a standstill. The attack, first identified on August 31, 2025, has left production lines idle across the United Kingdom, Slovakia, and India, and has rippled through JLR’s supply chain, affecting tens of thousands of workers and dealers worldwide.
According to Autocar, the company confirmed that the hack, which struck on September 1, forced an immediate shutdown of its internal IT systems. Since then, not a single car has rolled off the assembly line, and the financial toll is expected to reach into the millions of pounds. The disruption has been so severe that JLR’s public-facing website is functioning only partially—while the main site remains live, the car configurator isn’t accepting new build orders, instead directing customers to purchase vehicles from existing stock.
JLR acted quickly, bringing in police and cybersecurity experts over the weekend following the attack to “restart our global applications in a controlled and safe manner.” The investigation revealed that “some data” had been “affected,” a JLR spokesperson told Autocar on September 10, adding, “We now believe that some data has been affected and we are informing the relevant regulators. Our forensic investigation continues at pace and we will contact anyone as appropriate if we find that their data has been impacted. We are very sorry for the continued disruption this incident is causing and we will continue to update as the investigation progresses.”
The company’s internal investigation is ongoing, and while it has not yet confirmed the full extent of the breach, it has started the process of notifying those whose information may have been compromised. This has raised concerns about the safety of customer data, though JLR has stated there is “no evidence any customer data has been stolen” as of the latest updates.
The attack’s impact has been felt most acutely by JLR’s workforce. The majority of employees at key UK production sites in the West Midlands and Merseyside have been told to stay home since September 1. Workers at factories in Slovakia and India are also affected. Labour MP Derek Twigg, whose constituency includes the Halewood plant, emphasized the gravity of the situation in the House of Commons: “Many of my constituents are employees, which is also the case for my neighbouring Merseyside MPs. Thousands of jobs in the supply chain have been affected.”
JLR employs approximately 39,000 people worldwide, and many more depend on its supply chain. Despite the shutdown, workers are still being paid, with lost hours being “banked.” Dealers remain open, but with computer systems down, they are forced to register cars manually—a laborious process, especially during what is usually one of the busiest periods for vehicle registrations in the UK.
The cyber attack has also drawn the attention of the UK government. Business Minister Sir Chris Bryant addressed Parliament on September 9, stating, “I wish that I could provide [a timeline for resuming operations], but I cannot. This is a very live situation that has been ongoing for a week.” He added that JLR is receiving “daily” support from the government to manage the crisis, and that the government would provide “every possible support” to JLR and its supply chain companies.
The question of who is behind the attack remains unresolved. On September 3, a group known as Scattered Spider, along with Lapsus$ and ShinyHunters, claimed responsibility for the breach via the instant messaging platform Telegram, boasting about their exploits and sharing screenshots purportedly from JLR’s internal IT systems. These groups, which previously targeted Marks & Spencer in April 2025—causing the retailer to suspend online trading for six weeks and lose an estimated £300 million—are believed to be made up of young, English-speaking hackers. Four individuals were arrested in connection with the earlier M&S attack and have since been released on bail.
According to The Telegraph, the hackers exploited a known vulnerability in SAP Netweaver, a third-party software used by JLR. The US Cybersecurity and Infrastructure Security Agency (CISA) had previously warned about this flaw, and while an update was released, it remains unclear whether JLR had implemented it prior to the breach. It is also not known if a ransom demand has been made or what specific data may have been stolen. The BBC reported that the hacking group is attempting to extort money from JLR but has not confirmed whether they successfully accessed private data.
In Parliament, Conservative MP Dame Harriett Baldwin pressed the government to rule out the possibility of state sponsorship behind the attack. Sir Chris Bryant responded, “Can I say who’s responsible? No, I’m afraid I can’t. I note what is in the public domain, I have no idea whether that is accurate or not, and I don’t want to impede the investigation. [Dame Harriett] asked, is it state-sponsored? Again, I don’t want to jump to conclusions. I can’t, I’m afraid, I can neither confirm nor deny anything.”
The debate in the Commons also touched on broader national security concerns. Former Defence Secretary Sir Gavin Williamson warned, “The attack on JLR is not the first of its kind, and it certainly won’t be the last of its kind, and you will see increasingly state actors using criminal gangs, whether originating from Russia, North Korea, Iran, using this as a way of getting hard cash into those countries.” Bryant echoed these concerns, stating, “We simply cannot afford any degree of complacency in this, there are major criminals operating in this space, as well as some malicious state actors, and some 40% of companies in the UK last year reported that they had faced some kind of cyber attack.”
As JLR works “around the clock” to restart operations “in a controlled and safe manner,” the company has invited local MPs to a Q&A session to discuss the impact of the shutdown on their constituents. The government, meanwhile, is preparing to introduce a new Cyber Security and Resilience Bill to Parliament, aiming to strengthen the UK’s defenses against such attacks in the future.
Sir Chris Bryant also issued a stern warning to businesses about the risks of ransomware: “Paying the criminals doesn’t get you out of the hole. They’re not to be trusted, and people should be extremely cautious. We do not recommend in any circumstances, people paying ransomware. It doesn’t solve the problem, and what it actually does is it adds to the business model of these criminals, and it’s the criminals we want to see behind bars.”
For now, the full extent of the breach and its long-term implications for JLR and the wider UK economy remain unclear. But with factories silent, workers at home, and a forensic investigation still underway, the episode serves as a sobering reminder of the vulnerabilities facing even the most storied industrial giants in the digital age.
