Jaguar Land Rover says some data affected after cyber attack, production remains halted

Jaguar Land Rover said Wednesday that an ongoing forensic investigation into a cyber attack on its IT systems has found that "some data has been affected," and that the company is notifying relevant regulators.

The announcement follows the car maker's decision to take global online systems offline after the breach late on Sunday, Aug. 31. Jaguar Land Rover (JLR) said it will contact individuals as appropriate if their data is found to have been impacted, but the company declined to specify whether the affected information includes customer records.

JLR has drafted in third-party cybersecurity specialists and is working with law enforcement and the U.K. National Cyber Security Centre, which said it is providing support as the company seeks to understand the full ramifications of the incident. The company also said it was continuing to update stakeholders as the investigation progresses.

The breach has had immediate operational consequences. JLR shut down production at several factories, including vehicle plants in Halewood and Solihull and its engine plant in Wolverhampton, and halted systems at facilities in Slovakia, India and Brazil. The company disabled its IT network to contain the incident and has been unable to use diagnostic equipment, online parts catalogues and other applications needed for manufacturing and retail operations.

Workers at the U.K. plants were told to stay home a week ago and, according to reporting by the Daily Mail, were instructed not to return until at least Monday, Sept. 15. JLR has not built new vehicles since the shutdown, and dealers have faced limits on registering new models during one of the calendar's busiest months for sales. The company said it is attempting to reinstate online applications "in a controlled and safe manner."

Security experts and industry observers have warned of a prolonged recovery. JLR executives have privately conceded it could be a matter of weeks rather than days before systems are fully restored, according to The Times. Suppliers have already reported temporary layoffs as parts deliveries and production schedules were disrupted, and analysts warned of wider economic effects in the supply chain.

The group that claimed responsibility called itself "Scattered Lapsus$ Hunters," and published two images last week that appear to show internal troubleshooting instructions for a car charging issue and internal computer logs. The group previously asserted responsibility for an attack on Marks & Spencer earlier in the year. While the hackers have claimed credit for the JLR breach, they have not publicly confirmed whether they successfully exfiltrated private data or installed malicious software on JLR's network.

Security researchers who analyzed the images posted by the group said they appeared to show access to information that should not have been publicly available. Dray Agha, senior manager of security operations at Huntress, said the incident illustrates how attacks on IT systems can halt complex manufacturing operations and pressure companies to resolve incidents quickly. "Restarting these systems is a complex operation," Agha said. "Containment and recovery are crucial parts of responding to an incident, and many organisations still do not have the detection and response technologies to neutralise security intrusions."

JLR said it had engaged third-party specialists and law enforcement to "understand the full consequences of the attack." The company apologized for the disruption the incident is causing and said it would continue to update as the investigation progresses.

The financial impact of the shutdown has been described by some economists as significant. David Bailey, professor of business economics at the University of Birmingham, told media outlets the disruption could cost JLR millions of pounds per day and noted that the firm faces reputational risks if customers and retailers are unable to register or take delivery of new vehicles.

The National Cyber Security Centre declined to provide operational details but said it was working with JLR. The car maker has informed regulators and will notify any individuals should investigators determine their personal data was compromised. JLR's announcement and the response from authorities mark the latest example of how cyber intrusions can produce immediate physical and commercial effects across the automotive sector and broader manufacturing supply chains.