The Impact of Major Cyber Attack on JLR’s Production Lines

Jaguar Land Rover (JLR) has suffered a major cyber attack that has severely disrupted its global production and retail operations. 

The incident forced the iconic British luxury car manufacturer to shut down IT systems proactively and halt manufacturing lines at key plants. 

While no customer data appears to have been compromised, the attack has had significant operational and commercial impacts, highlighting the growing cyber risks facing the automotive industry.

This follows a host of high-profile cyber attacks on brands including M&S, Co-op and Harrods.

An overview of the JLR cyber attack

JLR, which is owned by India's Tata Motors, confirmed that its computer systems were targeted in a cyber incident that led to the shutdown of production lines at factories in Merseyside and Solihull in the UK, as well as sites globally. 

The company has issued instructions for employees not to come to work or to leave the sites to contain the attack. 

The shutdown has disrupted both manufacturing and retail operations, with dealerships unable to register new vehicles.

This comes during the rush of new car registration plates released on 1st September. 

In a statement, JLR says: “We took immediate action to mitigate its impact by proactively shutting down our systems. We are now working at pace to restart our global applications in a controlled manner.

“At this stage there is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted.”

JLR cyber attack: the operational and financial repercussions

The automotive sector’s tightly integrated production and supply chains mean that cyber incidents like this can quickly start drastic operational disruptions. 

The close integration of IT systems with operational technology (OT) controlling manufacturing can force companies to shut down production to prevent further damage or spread of the attack. 

Each hour of downtime can cost millions of pounds in lost output and sales. 

On top of this, the inability to register new cars at dealerships meant customers could not legally take delivery of their vehicles, creating immediate revenue losses for the company and its retail partners.

Dray Agha, Senior Manager of Security Operations at Huntress, says: “This incident highlights the critical vulnerability of modern manufacturing, where a single IT system attack can halt a multi-billion-pound physical production line, directly impacting sales, especially during a key period like a new registration month. 

“Cybercriminals know this and many leverage the stopped clock of business functions as the leverage they need to force capitulation of ransomware demands.

“It is not known if ransomware was involved in the Jaguar Land Rover attack, but ransomware actors target manufacturers for a reason.

“While the quick shutdown of systems was a textbook damage limitation tactic that likely prevented a data breach, it underscores the immense recovery challenge companies now face in safely rebooting complex, interconnected operations after an attack. 

“In 2025, there are still companies that wait until a devastating cyberattack to invest in a robust security posture. 

“Fortunately, Jaguar Land Rover appears to have had processes and procedures in place to ‘lessen the effect’ and return to business as usual. 

“Containment and recovery are crucial parts of responding to an incident and many organisations still do not have the detection and response technologies to neutralise security intrusions.”

Cybersecurity challenges in automotive industry

JLR’s breach illustrates the increasing exposure of automotive manufacturers to sophisticated cyber threats.

Modern car manufacturing involves a complex ecosystem of tier-1 and tier-2 suppliers and heavily digitised operations, making the sector an attractive target for cybercriminals.

Experts warn that threat actors are shifting focus from data theft to causing operational disruption through ransomware and other attacks, capitalising on the digital dependencies in manufacturing and retail networks.

Katie Barnett, Director of Cyber Security at Toro Solutions, says: “The recent JLR cyber incident underscores the critical importance of robust cyber security, especially when protecting the intricate supply chains that underpin modern manufacturing. 

“Early detection of supply chain vulnerabilities is vital to minimising the impact of such breaches.

“These events are highly disruptive and stressful for everyone involved in restoring systems and resuming operations. They serve as a further reminder to reassess your IT resilience.

“While third-party vendors are essential to supply chain efficiency, it’s important to ask the following questions: Do they have the right security controls in place? Can you detect system infiltration early enough to contain the damage? Are your incident response plans ready to activate and restore business continuity at speed?

“With its complex global networks, the automotive industry remains a high-value target for cyberattacks. 

“Continued investment in third-party risk and resilience audits, real-time monitoring and rapid response strategies is essential to contain threats and recover swiftly, ensuring operational integrity and customer trust.”

The rise in cyber attacks on household names

In 2025 alone, there has been a sharp increase in cyber attacks targeting major household brands, exposing the vulnerabilities of even well-established companies with significant resources. 

Aforementioned retail giants such as M&S, Co-op and Harrods, as well as Adidas and Pandora, have all faced disruptive cyber incidents, ranging from ransomware deployments to unauthorised system access, leading to operational paralysis, significant data breaches and considerable financial losses.

In the case of M&S, the cyber attack caused an estimated £300m (US$402m) profit hit due to lost sales, supply chain disruption and operational costs, while also impacting customer trust and leading to data theft. 

The attack, which lasted for nearly a month and affected M&S’ fashion, home and food divisions, forced the company to suspend online orders and caused empty shelves in stores.

Co-op’s attempted ransomware breach forced system shutdowns across 2,300 stores, disrupting supply chains and exposing sensitive member data. 

Harrods managed to prevent a cyberattack but had to restrict internet access and shut down select systems as a precaution. 

This calibre of incident is often linked to sophisticated hacker groups employing social engineering and phishing tactics that exploit third-party vendor weaknesses.

The attacks also expose how interdependent and digitised business operations have become, making any disruption potentially devastating. 

And, as highlighted by industry experts, breaches spotlight the critical importance of cybersecurity vigilance, third-party risk management and rapid incident response capabilities for maintaining business continuity and protecting consumer data.

Shankar Haridas, Head of UKI at ManageEngine, says: “These back-to-back security incidents, especially on major global brands, is definitely a matter of concern. 

“The impact that this has on UK businesses especially is profound and increasingly concerning. This brings to the forefront the relentless challenges organisations face in protecting their digital assets.

"While businesses continue to invest heavily in frontline defences, attackers are finding new ways in – exploiting weak links in digital supply chains or infiltrating through trusted vendors.

“With the rise of AI, the threat is reimagined like never before and driving an ever greater velocity of attacks.

"No organisation can close every gap. That is why security can no longer be seen as an insurance policy – it must be embedded as a core strategic priority and a fundamental part of every organisation’s toolkit.”

Nivedita Murthy, Senior Security Consultant at Black Duck, adds: “The first step after detecting a security incident is containment. 

“Jaguar did the right thing by shutting down its IT system before the attack spread further and caused damage. 

“As part of the post-incident activity, they would be able to identify how the attackers were able to access the systems and take advantage of them. 

“This incident is another reminder to retailers that emphasises the need to work on securing business operations as well as customer data to ensure smooth production and uncompromised trust in software, as attackers are increasingly targeting retail operators to access customer base information.

“People within an organisation tend to be the weakest links and any information gained on customers could be used for future phishing attacks or scams. 

“The fraud industry is thriving and more and more people are falling victim due to the fact that a lot of information on customer activity is available online.”