Jaguar Land Rover Says Some Data Affected as Cyberattack Forces Global Shutdown

Jaguar Land Rover said Wednesday that an ongoing forensic probe into a cyberattack that forced it to shut down global IT systems has determined "some data has been affected," and the company is notifying relevant regulators.

The British automaker, which closed its online network after the breach late on Sunday, Aug. 31, previously said there was no evidence that customer data had been stolen. In its latest statement the company said investigators now believe some data has been affected and that it will contact individuals if their data is found to have been impacted. A JLR spokesperson declined to elaborate beyond the company statement.

JLR has enlisted third-party cybersecurity specialists and law enforcement to determine the full scope of the breach. The company disabled its IT network in a containment move and has not yet restored online applications. The shutdown has halted IT-dependent functions including online parts catalogues, diagnostic equipment used in repairs and the ability of dealers to register new vehicles. JLR said it was working to reinstate systems in a "controlled and safe manner." A spokesperson apologized for the disruption and said updates will follow as the investigation progresses.

The attack has already forced temporary closures at JLR vehicle plants in Halewood and Solihull and an engine plant in Wolverhampton, with production suspended at factories in Slovakia, India and Brazil. The company sent UK factory staff home more than a week ago; the Daily Mail reported workers were told not to return until at least Monday, Sept. 15. JLR has warned that bringing systems back online is a complex process and that it could take "a matter of weeks rather than days" to fully restore operations.

A group calling itself "Scattered Lapsus$ Hunters," believed to be young, English-speaking hackers, claimed responsibility for the intrusion last week. The group has posted images purportedly taken from JLR systems showing internal troubleshooting instructions and computer logs. Security specialists who examined those images said they appeared to show access to information the hackers should not have, but the group has not confirmed whether it exfiltrated private data or deployed malicious software.

The attack has raised concerns about the broader industrial impact. Some local suppliers have temporarily laid off staff in response to the near operation-wide shutdown, and analysts warn the disruption could have a prolonged effect on the supply chain. David Bailey, professor of business economics at the University of Birmingham, said the economic cost should not be underestimated, estimating the disruption could cost the company "a catastrophic" £5 million a day. JLR did not confirm that estimate.

Cybersecurity practitioners said the incident underscores how an IT compromise can paralyze modern manufacturing. Dray Agha, senior manager of security operations at Huntress, said the shutdown was a necessary containment move but highlighted the difficulty of safely restarting interconnected systems. "Containment and recovery are crucial parts of responding to an incident, and many organisations still do not have the detection and response technologies to neutralise security intrusions," Agha said.

The incident also carries potential customer-facing consequences. With dealers limited in their ability to register vehicles, new car registrations could be delayed during one of the busiest months of the sales calendar. Ongoing problems with parts catalogues and diagnostic tools may also delay repairs for existing customers.

JLR said it has informed the appropriate regulators and will contact individuals if their data is affected. The company has also said it is working with the National Cyber Security Centre, which a spokesperson said was providing support as JLR assesses the breach's full ramifications.

The attack follows a string of high-profile retail and membership breaches earlier in the year, including incidents affecting Marks & Spencer, Harrods and the Co-op. In April, the Co-op initially downplayed the impact of a breach, but its chief executive later confirmed in July that the personal data of 6.5 million members had been stolen. Those cases have been cited in discussions about the time it can take to fully understand the scope of intrusions and the potential for initial assessments to change as investigations progress.

JLR said restarting systems will be carried out in a phased way, prioritising safety and integrity of operations. The company did not provide a timetable for a full resumption of production or for when it will know the exact nature and extent of the affected data. Regulators and law enforcement remain involved as the investigation continues.