Jaguar Land Rover (JLR) has fallen victim to a cyber-attack.
In a statement JLR said: “JLR has been impacted by a cyber incident. We took immediate action to mitigate its impact by proactively shutting down our systems. We are now working at pace to restart our global applications in a controlled manner.”
The company, owned by India’s Tata Motors, said at this time there is no evidence any customer data has been stolen but its retail and production activities have been severely disrupted.
It said it moved fast to contain the breach and is working to bring systems back online.
The attack began on Sunday, landing at a sensitive moment for the UK car market. New registration plates were released on 1 September, a key date for sales. The source of the attack is still unknown.
The halt in production is a fresh blow to the British multinational automobile manufacturer which recently revealed a slump in profits thanks to increasing in costs caused by US tariffs.
UK Businesses in the Crosshairs
“While increasingly common it is nevertheless disheartening to see yet another great UK business being hit by a cyber-attack,” comments Martin Jakobsen, CEO at Cybanetix.
“Shutting down systems to prevent the progress indicates that the identification of the breach has come late in the chain of the attack and the perpetrators are already within the IT infrastructure.”
Jakobsen says the teams at JLR will no doubt be working with their incident responders to determine the initial compromise, the infiltration point and the blast radius of the attack to determine the best course of action for service restorations while ensuring the attackers no longer have persistent access to JLR infrastructure.
“The time for restoring their operations is now entirely dependent on the forensic data available, and the complexity and type of attack.”
Not the First Attack
Agnidipta Sarkar, Chief Evangelist at Color Tokens, says JLR was attacked earlier, too. In March 2025, it was targeted by the HELLCAT ransomware group, which compromised Atlassian Jira credentials to steal hundreds of gigabytes of sensitive data.
“This new attack, leading to the systematic shutdown of production facilities and retail systems, suggests either a ransomware attack or a significant system compromise. Clearly, JLR needs to immediately implement capabilities to prevent lateral movement that attackers resort to after an initial breach, among other cybersecurity controls,” Sarkar adds.
“The attack poses a systemic cyber risk to the automotive supply chain, occurring at the confluence of IT and OT. This shutdown would eventually affect the entire supply chain. As a zero trust ambassador, I can only state that it is time for organizations to implement a zero trust foundation across IT, OT, and cloud.”
Jaguar Did the Right Thing
Nivedita Murthy, Senior Staff Consultant at Black Duck says Jaguar did the right thing by shutting down its IT System before the attack spread further and caused damage. “As part of post incident activity, they would be able to identify how the attackers were able to access the systems and take advantage of them.
She says this incident is another reminder to retailers that emphasizes the need to work on securing business operations as well as customer data to ensure smooth production and uncompromised trust in software, as attackers are increasingly targeting retail operators to access customer base information.
“People within an organization tend to be the weakest links and any information gained on customers could be used for future phishing attacks or scams. The fraud industry is thriving, and more and more people are falling victim due to the fact a lot of information on customer activity is available online,” Murthy adds.
Strengthen Security Controls
Piyush Pandey, CEO at Pathlock, says with widespread cyberattacks targeting retailers in recent months – and now expanding to manufacturers with the Jaguar Land Rover incident – security teams across both sectors should strengthen security controls to reduce exposure.
“Ensuring the principle of least privilege is implemented on a continuous basis is a fundamental step in addressing this risk. That includes automating access reviews to revoke excessive permissions, promptly locking down emergency access, and continuously monitoring critical applications to detect and terminate unauthorized activity quickly,” Pandey adds.
Standing Up in the Face of Adversarial Pressure
Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, says while not a lot is known publicly about the actual scope of impact, in operational technology environments, taking an environment fully offline to troubleshoot issues on the line is the expected practice.
“OT environments rely heavily on air gap protections – specifically isolating the network used for production from all other system (office, guest, and internet) networks. This is due to the lack of resilience and age-old system designs and architectures used by OT systems providers,” Ford adds.
“The time to see OT providers step into the modern, internet-resilient age is upon us. These fragile systems will continue to be impacted until they’re built to stand up in the face of adversarial pressure – like all modern technology and services are today,” he says.
The Critical Vulnerability of Modern Manufacturing
Dray Agha, senior manager of security operations at Huntress, comments: “This incident highlights the critical vulnerability of modern manufacturing, where a single IT system attack can halt a multi-billion-pound physical production line, directly impacting sales, especially during a key period like a new registration month.”
Agha says bad actors know this, and many leverage the stopped clock of business functions as the leverage they need to force capitulation of ransomware demands. “It is not known if ransomware was involved in the Jaguar Land Rover attack, but ransomware actors target manufacturers for a reason.”
“While the quick shutdown of systems was a textbook damage limitation tactic that likely prevented a data breach, it underscores the immense recovery challenge companies now face in safely rebooting complex, interconnected operations after an attack,” Agha adds.
“In 2025, there are still companies that wait until a devastating cyberattack to invest in a robust security posture. Fortunately, Jaguar Land Rover appears to have had processes and procedures in place to “lessen the effect” and return to business as usual. Containment and recovery are crucial parts of responding to an incident, and many organisations still do not have the detection and response technologies to neutralise security intrusions.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.