Cyberattack: Jaguar Land Rover Resumes Operations After More Than a Day

Wednesday, 8 October 2025, Jaguar Land Rover (JLR) has finally resumed vehicle production in the United Kingdom, putting behind it a devastating cyberattack that had paralysed the group for more than six weeks. Employees returned first to the Wolverhampton engine plant and to the cutting workshops at Castle Bromwich, Halewood, and Solihull.

However, the restart remains gradual. By the end of the week, the manufacturer aims to restart the Range Rover and Range Rover Sport production lines at the Solihull site. Manufacturing operations in Slovakia are expected to follow the same timetable.

“I want to thank all JLR colleagues for their commitment, hard work and the efforts over recent weeks that have brought us to this point. We know there is still a lot to do, but our recovery is well under way,” said Chief Executive Adrian Mardell, expressing the palpable relief across Britain’s automotive supply chain.

A Weekend That Changed Everything

The incident unfolded over the weekend of 31 August, when JLR’s internal monitoring systems detected unauthorised access to critical infrastructure. In a move praised by cybersecurity experts, the company immediately shut down its systems to limit the breach and prevent mass data theft.

“We took swift steps to mitigate the impact by proactively closing down our systems,” JLR said in its official statement. “We are now working at full speed to reboot our global applications in a controlled manner.”

The timing could not have been worse: the assault coincided with the release of the new UK number plates on 1 September, traditionally one of the busiest months for car sales in Britain. The consequences were immediate and severe.

The four major UK plants—Halewood (Merseyside), Solihull (West Midlands), Wolverhampton and Castle Bromwich—halted operations. International operations in Slovakia, China, India, and Brazil were also paralysed, resulting in a global production standstill.

The Collective “Scattered Lapsus$ Hunters” Claims the Attack

Responsibility for the breach was claimed by a hacker collective known as “Scattered Lapsus$ Hunters” (SLSH), a name that security researchers say signals an unprecedented fusion of three notorious crime groups: Scattered Spider, Lapsus$, and ShinyHunters—the same outfits that have been active against Red Hat and Salesforce.

The BBC reported the group’s claims after receiving direct communications via encrypted messaging platforms. To prove their intrusion, the hackers shared screenshots allegedly taken from JLR’s internal networks, including troubleshooting instructions for vehicle charging systems and internal IT logs.

SLSH is no stranger to such activity. In May, components of this group orchestrated devastating attacks against retail giants Marks & Spencer, Co-op and Harrods. The assault on M&S, in particular, caused losses of about £300 million and disrupted operations for more than four months, providing a worrying precedent for the potential duration of the JLR incident.

And of course the costs were staggering. Over the total period of the production halt, weekly losses reached around £50 million (roughly €57 million).

The human impact was equally severe. About 33,000 JLR employees in Britain were told to stay at home, with production workers receiving full pay during the disruption. But beyond JLR’s direct workforce, roughly 6,000 workers in the supplier network were temporarily laid off as production ground to a halt.

Beyond manufacturing, the attack disrupted commercial operations as well. Dealerships across the UK were unable to register new vehicles, effectively preventing the sale of finished cars. Repair garages and service centres had to revert to printed catalogs and manual processes after losing access to JLR’s electronic parts ordering systems.

The Automotive Industry, a Prime Target for Cybercriminals

The assault on JLR sits within a troubling pattern of cyberattacks targeting the global automotive sector. Security researchers have documented more than 735 significant cybersecurity incidents aimed directly at automakers since 2023, with the sector recording over 100 ransomware incidents and 200 data breaches in 2024 alone. That makes automotive manufacturing the most-targeted industry worldwide.

Among notable recent incidents is the BlackSuit ransomware attack on CDK Global in June 2024, which crippled software systems used by more than 15,000 dealerships in North America. CDK reportedly paid a $25 million ransom to restore services, with total business-interruption losses estimated at $1 billion.

The gravity of the cyberattack mobilised the UK’s National Cyber Security Centre (NCSC): “We are working with Jaguar Land Rover to provide support in relation to an incident.” Law enforcement, including the National Crime Agency, are conducting a thorough investigation into the breach.

A Cautious and Methodical Recovery

JLR’s recovery efforts have been complicated by the need to balance speed with security, ensuring that systems are not only restored but also properly hardened against future attacks. Cybersecurity experts have praised JLR’s methodical approach, noting that rushing to bring systems back online without proper security validation could leave the company vulnerable to subsequent attacks.

Returning to normal production will still take time. While the phased restart is a hopeful sign, JLR’s teams continue their forensic investigations and are working to strengthen their systems to prevent a recurrence. For Britain’s automotive flagship, the priority is to make up for lost ground while restoring the confidence of customers, employees and business partners in its ability to safeguard operations against ever more audacious malicious actors.

Questions also persist about JLR’s cybersecurity investments, despite substantial expenditure on digital transformation. In 2023, the company signed a five-year contract worth £800 million with Tata Consultancy Services (TCS) to provide cybersecurity and IT support.