Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
The cyber attack at Jaguar Land Rover (JLR) continues to cause havoc for the brand, as factory work delays continue, extending until late this month.
The car manufacturer, owned by Tata Motors in India, revealed that it had suffered a cyber attack at the beginning of September, announcing that it had shut down its systems to prevent further damage.
“JLR has been impacted by a cyber incident. We took immediate action to mitigate its impact by proactively shutting down our systems,” Jaguar Land Rover said in a recent but undated statement on its corporate website.
“We are now working at pace to restart our global applications in a controlled manner.”
The company originally told staff at its manufacturing plants in Solihull, Wolverhampton, and Halewood on Merseyside to stay home until 9 September, with their hours being banked to be picked up later, while their pay remains normal.
However, the stay home order was extended, and now the factories are set to remain closed until 24 September, JLR said this week.
“We have taken this decision as our forensic investigation of the cyber incident continues, and as we consider the different stages of the controlled restart of our global operations, which will take time,” it said.
Media organisations have reported that the outages at JLR could last much longer, including some reporting October, while The Telegraph reported it could last until November.
However, JLR has said that this is not its position on the matter.
While the company originally said there was no sign that any data had been stolen by the threat actors, it has since confirmed that data was compromised. It did not provide details as to what data had been impacted.
With concerns that the JLR cyber attack could have major financial impacts, including on other organisations in the supply chain and 104,000 jobs that work in it, the Unite trade union said that government support would be needed to mitigate the damage.
Additionally, Minister of the Department of Business and Trade, Chris McDonald, said he had met with JLR to “discuss their plans to resolve this issue and get production started again”.
“Our cyber experts are supporting JLR to help them resolve this issue as quickly as possible,” he said.
The cyber attack was claimed by the Scattered Spider hacking collective, after the hackers taunted the company on Telegram.
“Where is my new car, Land Rover,” it said.
It is believed that the hackers are blackmailing the manufacturer for money.
Scattered Spider is the same hacking collective believed to be responsible for the cyber attack on M&S, which suffered a four-month outage as a result of the cyber attack. However, this time, Scattered Spider claimed the cyber attack as part of the new hacking supergroup Scattered Lapsus$ Hunters, which is made up of Lapsus$ and Shiny Hunters.
While the cyber attack on JLR could impact the manufacturer for quite some time, car dealerships and repair garages were reportedly still operating, thanks to less dependence on digital systems. The dealerships reportedly were at one point using manual systems and phone calls to do business, and in some cases, using pen and paper.
Jaguar Land Rover is no stranger to cyber attacks in recent times. A hacker on a popular hacking forum claimed to have stolen several hundred files from the company in March 2025.
“In March 2025, Jaguar Land Rover – a renowned global automotive brand with reported revenue of $29.9 billion – suffered a major data breach,” the hacker, calling themself Rey, said.
“The leak includes around 700 internal documents (development logs, tracking data, source codes, etc.) and a compromised employees dataset exposing sensitive information such as username, email, display name, time zone, and more.”
The hacker posted a sample of the data, which appeared to feature the details of several JLR employees. JLR did not respond to Cyber Daily at the time of the hacker’s claim.
According to cyber security firm Hudson Rock, Rey was a representative of the Hellcat ransomware operation. Rey later claimed that their entry point into JLR’s network was an Atlassian Jira instance, which Rey had earlier harvested from an LG Electronics employee the year before.
“Despite their age, the credentials remained valid and unchanged within JLR’s systems – a lapse that hackers exploited years later,” Hudson Rock said in a blog post at the time.
“This delay between infection and exploitation is a reminder of the long tail of info-stealer campaigns, where stolen data can linger as a latent threat until the right buyer comes along.”
Be the first to hear the latest developments in the cyber industry.
