Case Study – Jaguar Land Rover Cyberattack

Jaguar Land Rover experienced a significant cyber attack this month. The impact on production was massive. The financial impact is, reportedly, huge.

As Jaguar Land Rover resumes production, we look at the JLR cyber attack or cyber incident to see what happened and if we could learn a lesson or two from the reported breach.

When did JLR cyberattack happen?

Reportedly, Jaguar Land Rover (JLR) experience a major cyber attack on August 31, 2025.

By September 1, JLR’s IT teams detected an intrusion in its network and took the drastic step of proactively shutting down systems to contain the damage. 

On September 2, 2025 the company acknowledged the cyberattack. Manufacturing operations were halted and employees were asked not to report for work due to the cyber incident.

Sales, registration, and production lines were brought to a standstill. The company stressed that there is no evidence that customer data was stolen, though it acknowledged ‘some data’ was impacted and regulators have been notified.

The outage stopped production at major UK sites in Solihull, Halewood, and Wolverhampton, and also disrupted plants in Slovakia, Brazil, and India.

What is the severity of the JLR cyberattack?

The CMC is an independent, non-profit organisation that analyses and categorises cyber events, which impact the UK financially. It has classified the JLR incident as a Category 3 event, which is significant. Category 5 is the most severe.

Who are the threat actors behind the JLR cyber attack?

A hacker group calling itself “Scattered Lapsus$ Hunters” claimed responsibility for the JLR cyber breach of late August and early September in 2025.

Almost immediately after JLR’s systems went down, this threat group boasted on Telegram that they had infiltrated JLR’s network and even shared screenshots of internal systems as proof. 

Some of these threat actors seem to have been behind the earlier cyber incident reported by Jaguar Land Rover in March 2025.

How did the JLR cyberattack happen? What was the cause of the JLR cyberattack?

From the limited information available, the cyber incident seems to have happened after a breach in one of the SAP systems.

The case notes or issue summary has not been shared by the company yet. But, from the information researched upon, it appears that an unpatched SAP Netweaver installation was compromised by the attackers to gain an entry into the network.

Security researchers believe the hackers exploited a vulnerability in SAP NetWeaver, third-party software used by JLR, to gain access. The US Cybersecurity and Infrastructure Security Agency had warned about this flaw earlier in the year, though it remains unclear whether JLR had applied available updates.

Subsequent to the initial entry, the hackers resorted to lateral entry and move through the infrastructure that is dispersed geographically.

What is the impact of the Jaguar Land Rover cyber attack?

JLR cyber attack is probably the biggest cyber attack of 2025. The impact is huge. Let us surmise the impact of JLR cyber attack.

1. The Jaguar Land Rover (JLR) cyber attack forced a minimum five-week production shutdown at JLR’s three major UK plants in Solihull, Halewood and Wolverhampton, halting the manufacture of approximately 1,000 vehicles daily.
2. Production was halted in UK plants on 2 September. The restoration of affected systems started on 3 September 2025. Production was resume in a phased approach from 7 October 2025. During these 5 weeks, production was totally impacted at the UK manufacturing plants of Jaguar Land Rover.
3. Reportedly, JLR’s cyber attack led to a decline of 30 percent over September 2024’s dispatches.
4. JLR cyber attack is being touted as the most economically damaging cyber event in UK history, according to security researchers.
5. Cybersecurity for JLR, a Tata Motors brand, is managed or outsourced to TCS or Tata Consultancy Services.
6. Over 5000 small business organizations connected in one way or the other with Jaguar Land Rover have been impacted. Supply chain companies have experienced delays and challenges in employee management.
7. Once an initial access was gained by attackers, the nature of laterally connected systems meant that the scope of cyber attack assume gigantic scale in no time.
8. The financial impact is gauged to be in the range of £ 1.9 billion or $ 2.8 billion. The UK Government has stepped in with an offer of loan to JLR to tide over the impact of this cyber attack.
9. The incident has been rated a ‘Category 3’ cyber incident.

Summary

• JLR’s cyber attack shows that vulnerabilies ought to be patched on a proactive basis rather than on a reactive basis. Unconfirmed reports suggest that a vulnerability in SAP Netweaver was used to target JLR infrastructure.
• JLR’s production in UK was impacted for 5 weeks. A phased restoration of production operation was initiated in the first week of September 2025.
• The nature of interconnected systems in Jaguar Land Rover’s IT infrastructure exasperated the cyber incident. Better network segmentation may be advised to preempt or limit the scope of such cyber attacks.
• Financial impact is seen at this point at $2.8 billion. It may rise further after a full resolution summary and investigation reports have been shared by Tata Motors, the company that owns Jaguar Land Rover in UK.