A cyber attack hit luxury automaker Jaguar Land Rover (JLR), causing operational disruptions, and forcing workers to stay at home.
Coventry, England-based JLR is owned by India’s auto juggernaut, Tata Motors, and employs over 32,000 people across the United Kingdom.
According to an incident notice posted on its website, the automaker responded promptly by proactively shutting down its IT systems to contain the cyber intrusion.
Jaguar Land Rover operational disruptions caused by a cyber attack
Jaguar Land Rover’s shutdown response caused severe operational disruptions across manufacturing, sales, and distribution. However, the company has found no evidence that the attacker copied and transferred any customer data from its systems.
“At this stage there is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted,” the company stated.
The luxury auto giant is working cautiously to restore impacted systems and resolve the widespread operational disruptions.
Despite the operational disruptions, Nivedita Murthy, Senior Staff Consultant at Black Duck, believes that JLR’s shutdown response was warranted.
“The first step after detecting a security incident is containment,” he noted. “Jaguar did the right thing by shutting down its IT System before the attack spread further and caused damage.”
However, the company has not stated when the operational disruptions will be resolved and normal production resumed. While JLR has also introduced workarounds to minimize disruptions, production and sales may continue to be impacted.
Additionally, the operational disruptions extend beyond JLR’s systems. They affect auto parts suppliers and repair workshops, some of which have begun to worry about potential shortages.
Meanwhile, JLR has yet to disclose the identity of the threat actor, the attack vector exploited, or whether any ransom demands had been made.
Seemingly, the cyber attack bears the telltale signs of a typical ransomware incident. However, the luxury auto giant remains unsurprisingly tight-lipped on whether the malicious actors deployed ransomware and encrypted its devices.
Typically, ransomware attacks involve some degree of data exfiltration for double extortion, particularly for some of the prolific data leakers suspected of being behind the JLR cyber incident. In fact, encryption attacks are falling out of fashion due to their complexity and risk, in favor of pure exfiltration attacks.
Scattered Lapsus$ Hunters claims Jaguar Land Rover cyber attack
Meanwhile, a cybergang known as Scattered Lapsus$ Hunters has claimed responsibility for the JLR cyber attack. The previously unknown collective is likely a coalition of hackers from the English-speaking cyber gangs Scattered Spider, Lapsus$, and ShinyHunters.
Scattered Spider was attributed to widespread attacks on the U.K.’s luxury retailers, Marks & Spencer, Harrods, and the Co-op. Similarly, ShinyHunters is widely linked to the voice phishing (vishing) hacking campaign targeting the Salesforce cloud-based CRM system.
Later, the cybercrime gang posted screenshots of the automaker’s internal systems and instructions for troubleshooting a car’s internal charging system, suggesting it had accessed technical information. Lapsus$ hackers were notorious for stealing sensitive assets, including source code, technical information, and instruction manuals from high-profile companies, such as Microsoft, Okta, NVIDIA, Samsung, Ubisoft, and Vodafone.
While the group provided proof of access, it has not claimed to have stolen personal data or deployed ransomware. However, it has admitted to attempting to extort the company.
Meanwhile, JLR has confirmed that it was aware of the alleged hacker’s claims and is investigating them. The National Crime Agency (NCA) also confirmed that it was aware of the cyber attack and was investigating it, and is working with its partners to determine the scope of the incident.
Nevertheless, the cyber attack is hardly JLR’s first data breach. In 2025, the HELLCAT ransomware gang claimed to have breached the automaker using stolen Atlassian Jira credentials.
Still, Mr. Agnidipta Sarkar, Chief Evangelist at ColorTokens, believes that the recent JLR data breach, which caused widespread operational disruptions, was potentially a more significant breach than the former.
“This new attack, leading to the systematic shutdown of production facilities and retail systems, suggests either a ransomware attack or a significant system compromise,” Sarkar said. “Clearly, JLR needs to immediately implement capabilities to prevent lateral movement that attackers resort to after an initial breach, among other cybersecurity controls.”
He also warned that the cyber attack seriously threatened the automotive supply chain, underscoring the need for zero-trust across the entire organizational IT infrastructure: “This shutdown would eventually affect the entire supply chain. As a zero trust ambassador, I can only state that it is time for organizations to implement a zero trust foundation across IT, OT, and cloud.”
