Jaguar Land Rover says cyber attack affected some data as global systems remain offline

Jaguar Land Rover said Thursday that some data has been affected by a cyber attack that forced the automaker to shut down its global IT systems in late August, reversing an earlier statement that there was no evidence customer information had been stolen.

The company said its forensic investigation is continuing "at pace" and that it is informing the relevant regulators. A JLR spokesperson added that the business will contact anyone as appropriate if it finds their data has been impacted.

JLR halted its online systems late on Sunday, Aug. 31, and has enlisted third‑party cybersecurity specialists and law enforcement to establish the full scope of the breach, the company said. The shutdown has left factory computer systems, online parts catalogues and diagnostic tools inoperable and has disrupted vehicle registration processes, dealer services and aftersales support.

Plants in the United Kingdom, Slovakia, India and Brazil were affected and UK factory workers have been sent home since the outage. The company has told staff at its Halewood and Solihull vehicle plants and its Wolverhampton engine centre not to report for duties until at least Monday, Sept. 15, a delay that means the firm may not build new vehicles for a fortnight.

The group that claimed responsibility identifies itself as "Scattered Lapsus$ Hunters," an English‑speaking group believed to consist of teenagers that earlier this year took responsibility for an attack on Marks & Spencer. The group posted two images last week that security analysts said appeared to show internal troubleshooting instructions and system logs, suggesting unauthorized access to internal systems.

Security specialists have cautioned that images posted by threat actors can indicate successful access even when an organisation initially believes data theft has not occurred. Dray Agha, senior manager of security operations at Huntress, said the incident "highlights the critical vulnerability of modern manufacturing, where a single IT system attack can halt a multi‑billion‑pound physical production line." He added that safely restarting interconnected systems after an attack is a "complex" operation.

JLR has acknowledged wider operational effects beyond factory suspensions. Dealers face difficulty registering new models during a peak month for sales, online spare‑parts catalogues cannot be accessed and diagnostic equipment used to identify reliability issues is not functioning, which could delay repairs for thousands of customers. Local suppliers have reported temporary layoffs as production and demand have been curtailed.

"We are very sorry for the continued disruption this incident is causing and we will continue to update as the investigation progresses," the company said in a statement. The National Cyber Security Centre said it is working with JLR to "provide support" as the automaker assesses the breach and its consequences.

Analysts warned of a potentially significant economic impact. David Bailey, professor of business economics at Birmingham University, said the disruption could cost the company millions of pounds a day and have a prolonged effect on the supply chain if outages continue.

The breach comes amid a wider trend of cyberattacks on UK retailers and services earlier this year. Co‑op and Marks & Spencer both disclosed incidents in which threat actors later asserted they had exfiltrated customer data. In the Co‑op case, the company ultimately confirmed in July that the personal data of 6.5 million members had been stolen following an April breach.

JLR said it will restore online applications "in a controlled and safe manner" and that the forensic investigation will determine whether specific types of data were accessed or taken. The company and national authorities urged customers and suppliers to await formal notifications rather than rely on material posted by the threat actor.

As the investigation continues, JLR faces operational challenges in bringing complex, interdependent systems back online and in managing the commercial and regulatory fallout if customer or supplier data is confirmed to have been compromised. The company said it will update regulators and affected parties as appropriate once the probe yields further findings.