Jaguar Land Rover hit by cyberattack forcing UK production halt

Jaguar Land Rover has suffered a major cyberattack, resulting in production halts and widespread disruption across its operations, which has impacted manufacturing facilities, global IT systems, and dealership activities.

The attack, which came to light in early September 2025, led to the shutdown of vehicle production at key sites in the United Kingdom, including Solihull and Halewood. International production locations and retail operations have also been affected, with dealerships reportedly experiencing difficulties in registering new vehicles.

Origin and impact

The breach has been claimed by the hacking collective known as "Scattered Lapsus$ Hunters," a group associated with previous high-profile attacks in the automotive and retail sectors. According to Simon Chassar, Interim Chief Operating Officer at e2e-assure, the attackers are believed to have exploited a vulnerability known as CVE-2015-2291 in the Intel Ethernet Diagnostics Driver for Windows. This method is characteristic of groups including Scattered Spider and Shiny Hunters, who have targeted prominent organisations such as MGM Resorts and Marks & Spencer in the past.

Industry observers note that the cyberattack's impact is amplified due to the highly interconnected nature of Jaguar Land Rover's (JLR) production and supply chain systems. Chassar described the company's "just-in-time" logistics model as a "metaverse of connected buyers and suppliers," noting that every component and vehicle update in the systems is constantly synchronised across a global network. The decision to proactively disable IT systems, while potentially limiting the extent of the breach, has resulted in immediate production stoppages and protracted business interruption.

Chassar commented, "By 'pulling the plug' JLR may have saved the amount of effort required by an incident response company to wipe, clean and recover the entire systems affected from backups with minimal data loss. However, it will unfortunately still take weeks to fully restart ... but with updated cyber protections and patches to limit a follow on attack." He emphasised the scale of recovery required, from password resets to firewall rule corrections, alongside the inherent challenges of restoring interconnected operational technology and IT systems.

Supply chain and financial implications

Justin Browne, Chief Technology Officer at Modu, highlighted that the incident's consequences extend beyond JLR to its parent company, Tata Motors, and a wide-reaching web of suppliers and partners. The attackers, Browne suggested, may have gained access via a smaller third-party supplier, illustrating the risk posed by trusted connections within complex supply chains.

"The costs of stopping the production line are staggering and go far beyond the immediate production loss. Every hour of downtime is a direct loss of revenue that can easily run into the millions of dollars per day. The domino effect with suppliers and dealers magnifies the operational and reputational costs," Browne said.

He also warned that such incidents can trigger regulatory scrutiny and potential fines under data protection frameworks such as GDPR, with further lasting effects on brand reputation and customer trust.

Martin Jakobsen, Chief Executive Officer at Cybanetix, commented, "Shutting down systems to prevent the progress indicates that the identification of the breach has come late in the chain of the attack and the perpetrators are already within the IT infrastructure. The time for restoring their operations is now entirely dependent on the forensic data available, and the complexity and type of attack."

Cybersecurity challenges

Michael Reichstein, Chief Information Security Officer at QUONtech, highlighted the increasing sophistication of cyber attackers. He noted the fundamental imbalance in cybersecurity, describing it as asymmetric warfare, where any single point of human or technical weakness can lead to a breach.

"Stopping these attacks requires a shift from a purely preventative mindset ('building a higher wall') to one of assumed breach and resilience. This means having robust systems to detect, respond to, and recover from an attack as quickly as possible, accepting that a breach is a matter of 'when' not 'if'," Reichstein said.

He noted that groups such as the alleged perpetrators of the JLR breach focus on identity-based attacks and social engineering, targeting individuals rather than technical vulnerabilities. "The key takeaway is that the 'way in' was likely through a person, not just a piece of technology. Security awareness training helps, but humans are fallible," Reichstein added.

Ongoing response and industry ramifications

The company has initiated a "controlled restart" of its global applications and is working to resolve widespread outages across its operations. Reports indicate that the process of restoring IT infrastructure and resuming full production is expected to take several weeks, with intensive efforts underway to strengthen cyber protections and recover business operations.

Chassar underscored the necessity for major budget allocations to cybersecurity, particularly services that integrate alerting for IT, operational technology, and Internet of Things devices with rapid detection capabilities. He characterised the attack as a "wake up call" for the manufacturing sector, stating that cyber criminals are focusing on operational resilience due to the profound disruption and expense caused by attacks in this area.

This recent attack marks the second documented cyber incident affecting JLR in 2025, following a previous breach by the HELLCAT ransomware group earlier in the year. JLR, Tata Motors, and their security partners continue to work towards full operational recovery and the implementation of enhanced cyber defences.