Jaguar Land Rover Pauses Production After Extensive Cyberattack

Incident Summary

• In early September 2025, Jaguar Land Rover (JLR), a British luxury vehicle manufacturer, was hit by a devastating cyberattack that severely disrupted its production and retail operations.
• The attack, claimed by the Scattered Spider cybercrime group, led to the theft of some data from JLR's systems. The company initially reported no evidence of customer data theft but later confirmed a data breach.
• The cyberattack forced JLR to extend its production halt into a third week, costing the company at least £50 million weekly in lost output. The disruption has also significantly impacted JLR's supply chain, with suppliers like Autins facing financial strain.
• JLR is working on a controlled restart of its global operations while continuing its forensic investigation. The incident has raised concerns about the vulnerability of the industrial sector to cyberattacks and calls for government intervention to support affected businesses and workers.

The Issue

The cyberattack on Jaguar Land Rover was a sophisticated and targeted incident that severely disrupted the company's operations. The attackers, identified as the Scattered Spider group, were able to infiltrate JLR's systems and steal sensitive data. This data breach has raised concerns about the potential exposure of customer information and the broader implications for the company's reputation and liability.

The attack also had a significant impact on JLR's production and supply chain. The company was forced to halt operations at its British plants for over three weeks, costing an estimated £50 million per week in lost output. This disruption has had a ripple effect on JLR's extensive supply chain, with smaller suppliers like Autins facing financial strain and the potential for layoffs.

Response and Restoration

In response to the attack, JLR acted quickly to isolate its systems and prevent further damage. The company shut down IT operations across its distributed facilities to limit the attackers' ability to move laterally through the network. This decisive action likely helped to contain the incident and minimize the overall impact.

JLR is now working to carefully and methodically restart its global operations in a controlled manner. The company is conducting a thorough forensic investigation to understand the full extent of the breach and the data that may have been compromised. JLR has also informed relevant regulators about the incident and is committed to contacting any individuals whose data may have been affected.

Lessons Learned

The JLR cyberattack highlights the need for organizations, particularly in the industrial and manufacturing sectors, to prioritize robust cybersecurity measures and incident response planning. Some key recommendations include:

1. Diversifying technology stacks: Reliance on a single technology or vendor can create a monoculture that increases risk. Organizations should strive for a diverse technology ecosystem to mitigate the impact of a successful attack on any one system.

2. Securing Active Directory: Attackers often target Active Directory as a means to move laterally through a network. Implementing strong authentication, eliminating legacy protocols, and implementing comprehensive monitoring are essential.

3. Adopting a zero-trust model: The traditional perimeter-based security approach is no longer sufficient. Organizations should transition to a zero-trust model that verifies and continuously monitors all access, regardless of the user or device.

4. Enhancing supply chain resilience: The JLR incident underscores the need for organizations to understand their supply chain dependencies and implement measures to ensure business continuity in the event of a disruption.

5. Increasing government support: The broader economic impact of the JLR cyberattack highlights the need for government intervention and support for affected businesses and workers. Policymakers should consider emergency measures and funding to mitigate the ripple effects of such incidents.

Sources:

• Jennings, Richi. 2025. Jaguar Land Rover Admits toLonger Shutdown as Childish Hackers Troll Carmaker. September 16. https://securityboulevard.com/2025/09/jaguar-land-rover-troll-richixbw/.
• Martin, Alexander. 2025. JLR ‘cyber shockwave ripping through UK industry’ as supplier share price plummets by 55%. September 17. https://therecord.media/jlr-cyber-shockwave-auto-sector.
• Paganini, Pierluigi. 2025. Jaguar Land Rover will extend its production halt into a third week following a cyberattack.September 16. https://securityaffairs.com/182312/security/jaguar-land-rover-will-extend-its-production-halt-into-a-third-week-following-a-cyberattack.html.
• Shread, Paul. 2025. Jaguar Land Rover CyberattackStalls Production Amid Layoff Fears. September 17. https://thecyberexpress.com/jaguar-land-rover-cyberattack-3/.
• Shread, Paul. 2025. Key Scattered LAPSUS$ HuntersHacker Arrested in the UK. September 18. https://thecyberexpress.com/scattered-lapsus-hunters-hacker-arrested-in-uk/.

Actor Summary:

Scattered Spider is a prolific eCrime adversary that has conducted a range of financially-motivated activity since early 2022. The group initially targeted firms specializing in customer relationship management (CRM) and business-process outsourcing (BPO), as well as telecommunications and technology companies. Over time, Scattered Spider expanded its operations to compromise victims in the gaming, hospitality, retail, MSP, manufacturing, and financial sectors, leveraging sophisticated social-engineering techniques like phishing, SIM swapping, and exploiting weak verification processes to gain unauthorized access. The group is known for deploying ransomware, often acting as an affiliate for ransomware groups like ALPHV/BlackCat, to extort victims and threaten to leak stolen data. Scattered Spider is a financially-motivated, native English-speaking cybercriminal group that has been active since at least 2022 and is believed to have members based in the United States and United Kingdom.

‍