Jaguar Land Rover says some data affected after cyber attack, notifies regulators

Jaguar Land Rover (JLR) said Wednesday that an ongoing forensic investigation into a cyber attack on its information technology systems has found that ‘‘some data has been affected,’’ and that the company has informed relevant regulators.

The confirmation marks a change from the manufacturer's earlier statements that there was ‘‘no evidence any customer data has been stolen.’’ JLR said it will contact anyone as appropriate if it determines their information has been impacted. The company also said third-party cybersecurity specialists and law enforcement had been engaged to understand the full consequences of the incident.

JLR halted its global online systems late on Sunday, Aug. 31, after detecting the attack. The shutdown forced the company to stop production at multiple plants, including sites in the United Kingdom, Slovakia, India and Brazil, and rendered dealer registration systems, spare parts catalogues and diagnostic tools unavailable. Staff at UK vehicle plants in Halewood and Solihull and at the engine centre in Wolverhampton were sent home and, according to reporting by the Daily Mail, were instructed not to return to work until at least Sept. 15.

The company cautioned the restoration of complex, interconnected applications would be carried out in a ‘‘controlled and safe manner’’ and said the investigation was continuing ‘‘at pace.’’ It added: ‘‘We are very sorry for the continued disruption this incident is causing and we will continue to update as the investigation progresses.’’

The attack has already produced significant operational disruption. Dealers faced difficulties registering new vehicles during one of the busiest months for car sales, maintenance appointments have been delayed because diagnostic equipment is offline, and suppliers have reported interruptions that have prompted temporary layoffs in some cases. Internal briefings cited by The Times said executives expect recovery to take ‘‘a matter of weeks rather than days.’’

A group that calls itself "Scattered Lapsus$ Hunters" claimed responsibility for the breach last week. The group, described in reporting as young English-speaking hackers, posted images that purported to show internal troubleshooting instructions and computer logs. Security experts who examined those images warned they appeared to indicate access to information that should not have been exposed, though the attackers have not publicly confirmed the nature or extent of any data exfiltration or whether malicious software was installed on JLR's network.

The attack follows a series of high-profile intrusions this year affecting other U.K. retailers and organisations, including Marks & Spencer and the Co-op, where an initial minimising assessment was later revised after evidence of broader data theft. Those incidents underscored the potential for cyber intrusions to have larger consequences than first understood.

Cybersecurity specialists emphasised the particular vulnerability of modern manufacturing to cybersecurity incidents. Dray Agha, senior manager of security operations at Huntress, said the JLR case ‘‘highlights the critical vulnerability of modern manufacturing, where a single IT system attack can halt a multi-billion-pound physical production line, directly impacting sales, especially during a key period like a new registration month.’’ Agha added that restarting systems safely is a complex operation and that containment and recovery can be lengthy.

David Bailey, a professor of business economics at Birmingham University, warned of the potential economic impact, saying the disruption could cost the company ‘‘a catastrophic’’ £5 million a day, and noted there could be longer-term commercial consequences if customers turn to other manufacturers while registrations are delayed.

The United Kingdom's National Cyber Security Centre (NCSC) said it is working with JLR to provide support as the company seeks to understand the full ramifications of the breach. Regulators have been informed, and JLR has said it will notify affected individuals as appropriate once forensic work clarifies what data, if any, have been compromised.

As the investigation continues, the company faces a timetable for phased system restoration, ongoing cooperation with law enforcement and external cybersecurity teams, and mounting pressure from suppliers and retailers affected by the operational stoppage. JLR said it will provide further updates as new information becomes available.