Table of Contents
How has one breach had an impact across the world and how can you avoid a similar situation?
Every year, cyber-attacks become more frequent and more deadly, with 2025 having some of the most devastating in recent memory. Attacks have risen by 30% globally, with the damage caused by digital crime estimated to result in a total cost of $10.29 trillion in 2025.
In the UK, one incident stands out as particularly significant: the Jaguar Land Rover (JLR) attack. A little over a month after the attack at time of writing, JLR IT systems remain largely shutdown, with manufacturing and production being halted. We explore what happened and provide some insights as to how the situation could have been handled better.
How did the attack happen and who claimed responsibility?
The incident occurred on August 31st – September 1st is the UK’s “New Plate Day,” where a new batch of vehicles go on sale, leading to a lot of sales for the company, so the attack was intended to cause as much chaos as possible. A group called Scattered Lapsus$ Hunters, consisting of members of Shiny Hunters, Lapsus$ and Scattered Spider (who claimed to have committed the attack on retailer M&S earlier in the year) took responsibility for the incident.
The group used stolen credentials from Jira, a third-party employee in the supply chain, using details that were still valid years after they had last been used, making system access straightforward. Hackers targeted vulnerabilities to gain initial access to JLR’s network, before deploying custom malware to harvest credentials, exfiltrate and encrypt data, as well as to tamper with production control systems.
How did Jaguar Land Rover respond?
In response, JLR shut down all their IT systems, effectively pulling the plug out to stop all online operations and halting production. At first, they didn’t specify if customer data had been stolen, but on September 10th they admitted that it may have been.
The company has remained in contact with the National Crime Agency and Information Commissioner’s Office (ICO) while the incident was first investigated, before connecting with the National Cyber Security Centre (NCSC). This is good practice from JLR: incidents must be reported to the ICO within 72 hours of a breach to mitigate risk, and other agencies can aid and advise.
What were the consequences of the cyber incident?
With essential IT systems down, processes fell apart: factories across the UK (Halewood, Solihull and Wolverhampton) were unable to operate; other factories in Slovakia, China and India had to close also; dealerships and garages were unable to serve JLR customers as they had no access to JLR’s online database to search for parts or new cars, so no new sales could be made and no repairs could be done to existing vehicles.
Initially, staff from UK factories were sent home before being told not to come in again until the following Tuesday (September 9th). It was speculated that this would be costly for JLR, but with the company having posted significant profiles early in the year, the damage looked like it would be minimal, if it was only for a week. Unfortunately, this was not the case.
On September 8th, a day before the speculated return, JLR asked workers to remain at home until a week on Wednesday (September 17th). Before this date was reached, on September 11th, JLR announced the shutdown would continue until the week after that, before on September 23rd they shared that it was unlikely operations would resume within the next month. What had started as a frustrating, but seemingly minor incident had snowballed into a catastrophic one for JLR and their staff.
While restoring IT systems in a controlled manner makes sense – it ensures the initial threat can’t spread any further – it is costing JLR an estimated £50-£100 million each week that they have been shut down. Workarounds were implemented to allow access to some basic IT elements, but not enough to outweigh this price.
What is the human cost?
While this amount lost is significant enough, as with any crime, you must think of the human cost. First, consider JLR employees in the factories that have been shut down. Being put on compulsory leave, with reduced or no pay, means that workers are struggling to get by. Many relied on overtime to make enough to cover their needs, so without the ability to work, they are struggling.
Then, go a step further, and think about all the companies that JLR works with. Some examples include the business that supplies their vehicles with the finishes on their interiors, or the company that runs staff by bus from the centre of town to the factories: with no work coming in, and JLR unable to pay invoices with IT services being down, these companies and their employees begin to suffer.
You can even go beyond that and consider the businesses in the places these factories are located, like in the West Midlands, or Merseyside. Often an industry like this is the heart of the community, with other companies relying on workers at the factory to keep them afloat. With staff wanting to save what little money is coming in, they’re not splashing out on local food and drink – entire communities are at risk.
How are problems being addressed?
In terms of the effect the shutdown is having on staff and suppliers, unions have called for a furlough scheme (like in Covid) to help support the quarter of a million people in the JLR supply chain. The government, who have been in constant communication with the company, considered this option, but instead opted to guarantee a £1.5 billion loan on behalf of JLR, from a commercial bank, to help protect jobs and support the supply chain.
This is the first time a company has received help from the UK government in this way – not just guidance and advice, but something that meant that had to get directly involved. Clearly, the government can see how the business collapsing could have greater costs, so it is better to invest now. However, if the problem persists, JLR may need more help, and there are no guarantees the government will be able to provide it.
Want content like this in your inbox?
Sign up and we’ll make sure to keep you up-to-date on new technologies, trends, and promotions.
When will the production shutdown end and manufacturing restart?
On September 25th, some IT processes were restarted, allowing a backlog of payments to suppliers to be sent. More online services are set to be gradually turned back online in a phased restart, ensuring everything is restored in a safe and secure manner.
A few days later, on September 29th, it was announced that manufacturing was to resume in the coming days, starting with the factory in Wolverhampton – primary responsible for creating engines for the vehicles – on October 6th before expanding to other UK plants. In the last week, some IT systems have been restored: invoicing, logistics and financial systems are back online, and the Global Parts Logistics Centre is operational again.
So, it looks like after an uncertain month that more manufacturing operations will resume soon. The incident has helped to highlight how unprepared UK businesses are for online threats: what could they have done to avoid all this?
How could this have been prevented?
There are multiple stages of this incident where disaster could have been avoided, though information is still coming out about the incident, so it is difficult to know for sure. Take a look at the errors and what Landall Services’ cybersecurity specialists would have recommended to make an incident like this less likely to occur.
Problem 1: Stolen third party credentials were used to get access
We would recommend rotating login details, putting expiration policies in place, restricting access to only what the user needs for their role, doing frequent audits to spot issues like this and adding a layer of protection with multi factor authentication and malware monitoring.
Problem 2: Attackers were able to move across all sections of JLR’s network
Networks need to be segmented, with critical systems isolated, meaning that the attack is contained to a smaller area and firewalls can help to limit cross-network access. Data should be encrypted, so even if it is accessed, it isn’t easily usable.
Problem 3: The shutdown in response to the JLR cyber attack was reactive rather than planned
A response plan, that all staff are trained to understand and follow, would have been much more effective than just unplugging the entire system at once.
Problem 4: JLR reportedly had no cyber insurance active at the time of attack
It is important to have insurance in case of ransomware, business interruption, data recovery and other costs as systems are restored – staff and suppliers may have been better supported if insurance was in place.
Problem 5: Phishing and malware were likely utilised in the initial breach
Advanced Endpoint Detection and Response (EDR) tools are designed to find and stop cyber threats around the clock, while sandboxing can be used to test potentially malicious links in a secure environment. Training staff on what phishing threats are is vital, and setting up email filters to prevent phishing attempts from reaching them can make things easier.
If these measures had been implemented it wouldn’t guarantee the attack wouldn’t have happened – even if everything was perfect with JLR’s security setup a breach could have occurred. However, it would have helped to reduce the chance of an attack, as well as reducing the impact it had, making recovery easier.
What can you learn from this?
The cost to the company, the staff and connected communities could have been reduced with the right investment in security. Despite being a large company, with security in place, they were still targeted and breached: hopefully, other companies can use this as a lesson, and we can avoid something on this scale happening again in future.
Does your digital security need improving? Or do you have any questions about any of the technologies or concepts discussed in this article? If so, please reach out to Landall Services: our IT services and security experts can help you to strengthen your resilience.
