Jaguar Land Rover halts UK production after cyber-attack as hackers claim responsibility
IT systems were taken offline and factory staff told to stay home while the carmaker works to restore networks; a group that targeted retailers has boasted of the intrusion
Jaguar Land Rover (JLR) instructed factory staff to stay at home and halted production at several UK sites after a cyber-attack forced the company to take vital IT systems offline, the carmaker said.
Production remained suspended at the Halewood and Solihull plants and at JLR’s engine centre in Wolverhampton as the company worked to restore systems in a controlled manner, and staff were told not to attend work at least until Tuesday while the situation remained under review. Retail operations were also disrupted at a traditionally busy time for vehicle deliveries.
JLR said the attack began on Sunday and that its IT teams detected the incident while it was in progress. The company shut down systems immediately on Sunday to reduce potential damage and has been introducing temporary work-arounds for key processes while carrying out a complex, staged recovery of its networks. It said there was no evidence that customer data had been stolen.
The disruption coincided with the release of a new batch of vehicle registration plates on 1 September, a period when many customers take delivery of new cars. BBC reporting said some transactions have been able to proceed, but overall sales and production were heavily affected. The company, which is owned by India’s Tata Motors, said output could remain suspended for longer as the situation is assessed.
A group of English-speaking hackers claiming responsibility posted on the messaging app Telegram, sharing screenshots that they say were taken from inside JLR’s networks. The gang, which has boasted of attacks on British retailers earlier this year, has identified itself as "Scattered Lapsus$ Hunters" and is reported to have taunted the carmaker online while seeking to extort money. In private messages cited by BBC reporters, a person claiming to be a spokesperson for the group described how they allegedly accessed JLR systems, but did not provide verifiable evidence that data was exfiltrated or that persistent malicious software was installed.
Cybercriminal gangs behind recent headline-making intrusions have sometimes exaggerated their access or impact to attract attention, security experts say. JLR said it was aware of the online claims and was investigating the matter alongside relevant authorities.
The company notified staff by email early on Monday that they should not come into work at affected sites after the intrusion was detected, according to reporting from local outlets. JLR said its emergency response teams and external specialists were working to restore normal operations as quickly and safely as possible, and that a controlled approach to recovery was necessary because of the complexity of the systems involved.
The attack represents a further example of how cyber incidents can ripple through manufacturing and retail supply chains, where digital systems increasingly control production scheduling, logistics and retail transactions. JLR has said it has implemented mitigations and is restoring services in stages to avoid further disruption.
JLR and its parent, Tata Motors, provided limited public comment as the company continued its internal investigation and recovery efforts. Officials did not elaborate on whether law enforcement or national cyber agencies had opened formal inquiries, but the incident is consistent with recent trends of high-impact ransomware and extortion attempts against prominent companies. The company said it would provide further updates when additional information became available and urged customers and staff to follow official communications for advice and next steps.