Jaguar Land Rover extends UK factory shutdown after cyber attack

Jaguar Land Rover (JLR) said its UK factories will remain closed until next week after a cyber attack that halted production at three sites and disrupted supply chains.

Production at the Solihull, Halewood and Wolverhampton plants was stopped after the incident, which came to light on 1 September, and staff were told not to come into work until Monday at the earliest. The closures are expected to wipe out about two full weeks of global output; the company normally builds roughly 1,000 cars a day.

"As a result of our ongoing investigation, we now believe that some data has been affected, and we are informing the relevant regulators," the carmaker said. "Our forensic investigation continues at pace, and we will contact anyone as appropriate if we find that their data has been impacted." The company did not specify which types of data were affected or how many individuals or organisations might be impacted.

JLR said it shut down its IT networks after detecting the incident to protect systems from further damage. Because modern factories and parts supply networks depend on automated, networked systems, the IT shutdown forced production lines to stop. Dealerships were unable to process sales during a typically busy period, and garages servicing JLR vehicles initially struggled to obtain parts. The company and its suppliers have introduced workarounds that have eased some disruption, but problems persist.

A group identifying itself as Scattered Lapsus$ Hunters, which has previously claimed responsibility for attacks on several UK retailers, has said it was behind the attack on JLR. Earlier this year, an attack attributed to a related group affected Marks & Spencer's operations for months and was estimated to have cost the retailer about £300 million.

JLR, which is owned by India's Tata Motors, confirmed it had reported the incident to the Information Commissioner's Office. The National Cyber Security Centre (NCSC), part of the British signals intelligence agency GCHQ, has been working with the company since the early stages of the incident, the Business Minister, Chris Bryant, told parliament. Bryant is due to meet JLR's chief executive, Adrian Mardell, before the end of the week, and local members of parliament were scheduled to be briefed by the company in an online call.

Company statements emphasise that the forensic investigation is ongoing and that regulators have been notified. JLR said it will contact anyone whose data is found to have been affected. It has not provided a timeline for when production will fully resume or indicated whether the lost output will be made up.

The episode underscores the vulnerability of highly automated industrial production to cyber incidents. Security experts have long warned that the interdependence of manufacturing operations, logistics and corporate IT increases the potential for single incidents to cascade across supply chains and customer-facing services. For JLR, the immediate priorities identified by officials and the company are containing the incident, restoring secure operations, and determining the scope of any data exposure.

The company and government agencies did not disclose technical details about how the attack was executed or what specific systems were affected. The investigation by JLR's internal teams and external forensic specialists, supported by the NCSC, is continuing.