Jaguar Land Rover was forced to shut down production systems over the weekend after being hit with a cyber attack, the company has revealed.
The car manufacturer said it acted immediately to mitigate the attack by proactively shutting down systems in a move that thwarted attackers.
"We are now working at pace to restart our global applications in a controlled manner," JLR said in a statement. "At this stage there is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted."
According to the BBC, the attack took place on Sunday, with employees at the company's plants in Halewood, Merseyside, and Solihull in the West Midlands sent home or told not to come into work the following day.
"JLR's decision to proactively shut down global manufacturing suggests this attack may have been targeting their operational systems, not just customer data," said Oakley Cox, director of operational technology of product at Darktrace.
"The speed of their response is telling - you don't typically halt production across multiple sites unless there's genuine concern about operational impact."
The attack appears to have been carefully timed, coming just as new registration plates are launched - the company's busiest time of year. Attacking over the weekend, meanwhile, meant that Jaguar Land Rover was less likely to able to respond and contain the threat.
No ransomware group has claimed responsibility. However, the automotive sector is becoming a highly attractive sector for hackers, thanks to increasing digitization and growing integration between IT and operational technology (OT).
According to Upstream Security’s 2025 Automotive & Smart Mobility Cybersecurity report, attacks against the automotive sector are on the rise - and getting bigger. The number of 'massive-scale' incidents, impacting millions of vehicles, more than tripled between 2021 and 2023, rising from 5% to 19%.
Jaguar Land Rover “did the right thing”
Nivedita Murthy, senior security consultant at Black Duck, said Jaguar Land Rover “did the right thing” by shutting down IT systems, which likely helped prevent the attack from spreading further and causing additional damage.
“As part of the post-incident activity, they would be able to identify how the attackers were able to access the systems and take advantage of them,” Murthy added.
Conversely, Nick Tausek, lead security automation architect at Swimlane, said the move raises serious questions about how organizations should react to security incidents.
"It is tentatively reassuring to see that, as of yet, no impact on customer data has been reported. However, entirely shutting down production and retail operations is not a sustainable countermeasure for cyber attacks," he said.
"JLR, as well as other automobile manufacturing organizations, should use this as a lesson in the importance of proactive cybersecurity."
This isn’t the first time the car manufacturer has fallen victim to a cyber attack. Earlier this year, it was hit by a breach that saw the theft of several gigabytes of sensitive data.
That particular incident exposed more than 700 proprietary documents, along with source code and employee and partner data.
"It raises the question of whether vulnerabilities from the prior attack still exist and were exploited to breach the company this time around," suggested Tausek.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Ransomware attack on IT supplier disrupts hundreds of Swedish municipalities
- Google says 'claims of a major Gmail security warning are false' following recent media reports
- Warning issued to Salesforce customers after hackers stole Salesloft Drift data
-
AI PCs will ‘become the norm’ by 2029 as enterprise and consumer demand surgesNews AI PCs are expected to make up a significant portion of the total PC market by the end of 2025 - and Gartner says they'll "become the norm" by 2029.
-
Mistral AI wants businesses to make new memories with Le ChatNews The company hopes new functionality and Connection Partners will broaden business appeal
-
The Salesloft Drift victim list keeps growing: Zscaler is the latest to confirm a breach, warning customers to remain wary of follow-up phishing attacksNews The company has warned customers that their data may have been accessed, saying it's implemented extra safeguards in response
-
Anthropic admits hackers have 'weaponized' its tools – and cyber experts warn it's a terrifying glimpse into 'how quickly AI is changing the threat landscape'News Security experts say Anthropic's recent admission that hackers have "weaponized" its AI tools gives us a terrifying glimpse into the future of cyber crime.
-
Google says 'claims of a major Gmail security warning are false' following recent media reportsNews Reports of a massive Gmail hack affecting billions of users have been denied by Google
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
Warning issued to Salesforce customers after hackers stole Salesloft Drift dataNews Customers were targeted through compromised OAuth access tokens from Salesloft Drift integrations
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Hackers are abusing ConnectWise ScreenConnect, againNews A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain – and it uses OpenAI’s gpt-oss-20b modelNews Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
