The Jaguar Land Rover Cyber Attack: Lessons Learnt and Moving Forward Together

My thoughts are with everyone at Jaguar Land Rover who’s dealing with the aftermath of this week’s cyber security incident. I know first-hand how incredibly stressful these situations are – not just for the IT and security teams working around the clock to restore systems, but for every employee whose livelihood has been disrupted, every customer facing delays, and every partner in the supply chain feeling the ripple effects. The pressure is immense, and I want everyone affected to know that the cyber security community is thinking of you.

While no organisation wants to find itself in this position, there are important lessons we can all learn from JLR’s experience. This incident, which unfolded over the weekend of August 31st, demonstrates both the challenges we face in our increasingly connected world and the critical importance of robust cyber security practices.

Understanding What Happened

Let’s examine the facts constructively. JLR detected what they called a “cyber incident”; that forced them to proactively shut down their global IT systems – a decision that, whilst disruptive, was absolutely the right call from a containment perspective. The result was production shutdowns at their major plants in Halewood and Solihull, dealerships unable to register new vehicles or supply parts, and this all happening during one of their busiest periods – the September new registration plate launch.

The human impact was immediate: staff sent home from manufacturing plants, customers unable to complete purchases, and a supply chain temporarily halted.

What’s particularly concerning is that this is JLR’s second major cyber security incident this year, following an attack in March that involved stolen source code and tracking data.

The Threat Landscape: Understanding Our Adversaries

The attack has been claimed by a group operating under the name “Scattered Lapsus$ Hunters” – a merger of well-known threat actors including Scattered Spider, Lapsus$, and ShinyHunters. These are the same cybercriminals who have systematically targeted British brands throughout 2025, including Marks and Spencer (costing around £300 million after forcing a six-week shutdown), Co-op, and Harrods.

What we’re seeing is strategic targeting of high-profile British brands during their most vulnerable periods. They’ve expanded from retail into aviation during the summer holidays, and now they’re focusing on automotive manufacturing. The group operates with concerning confidence, using Telegram channels to claim responsibility and share screenshots of compromised systems.

Four young people have been arrested in connection with these attacks, demonstrating that law enforcement is taking these crimes seriously, though clearly more work remains to be done.

The Technical Insights: Learning from the Attack Vector

Understanding how this attack occurred helps us all strengthen our defences. According to investigations, the breach was linked to old, third-party credentials that were never properly revoked – a reminder of how important credential lifecycle management is in our complex digital environments.

The attackers reportedly exploited a known vulnerability in SAP Netweaver software – CVE-2025-42999 – which allows remote code execution. The US cyber agency CISA had already issued warnings about this flaw earlier this year, with patches available.

This highlights the critical importance of timely patch management, particularly for third-party software components.

The cascade effect was significant because of network architecture challenges. When networks lack proper segmentation between IT and operational technology, security incidents can rapidly spread across entire infrastructures. JLR’s need to shut down both production and retail operations simultaneously illustrates this interconnectedness.

The Reality of Modern Threats

Whilst JLR hasn’t publicly confirmed receiving ransom demands, the attackers have
indicated they’re attempting to extort money through their typical playbook. Modern cyber security threats aren’t just about encrypting systems – they focus heavily on data exfiltration and leverage.

Automotive manufacturers present attractive targets because they store vast amounts of valuable data: employee information, supplier contracts, dealership data, and critically, intellectual property including vehicle development code. When cybercriminals access source code for connected vehicles, we’re potentially looking at long-term safety implications that extend far beyond immediate operational disruption.

Addressing the Human Elements

What’s most constructive about analysing this attack is recognising the human factors that contribute to cyber security challenges. The fundamental issues here involve:

• Legacy credential management: Historical access that requires ongoing governance
• Patch management coordination: Ensuring timely updates across complex environments
• Network architecture evolution: Developing robust segmentation as organisations grow
• Third-party risk management: Maintaining security standards across supply chains

These challenges are particularly acute in large organisations that have grown through acquisitions, like JLR under Tata Motors ownership. Complex IT environments naturally develop over time, and maintaining comprehensive visibility becomes increasingly challenging.

For everyone dealing with these pressures right now, please remember that these are industry-wide challenges, not failures of individual teams or organisations.

Supporting Recovery and Resilience

JLR’s measured approach to communicating recovery timelines shows responsible incident management. Recovery from attacks of this magnitude typically requires weeks to months of careful work. Teams need to ensure no persistent access remains, rebuild compromised systems from verified clean backups, and safely restart production lines without risking further disruption.

The automotive industry faces unique recovery challenges because of the convergence of IT and operational technology. Manufacturing systems require careful validation before coming back online – safety and quality cannot be compromised in the rush to restore operations.

During this incredibly stressful time, it’s essential that organisations provide proper support for their teams. Cyber security incidents create enormous pressure, and the wellbeing of the people managing the response is just as important as the technical recovery work.

Building Stronger Defences Together

The JLR incident highlights important considerations for the entire automotive sector. As vehicles become increasingly connected and software-defined, manufacturers face evolving threat landscapes that require adaptive security strategies.

Positive steps the industry can take include:

• Strengthening credential governance with regular audits and automated lifecycle management
• Enhancing network architecture with robust segmentation between critical systems
• Developing comprehensive third-party risk programmes with regular security assessments
• Building resilient incident response capabilities that can contain and recover from breaches effectively

Moving Forward Constructively

The Jaguar Land Rover attack reminds us that cyber security is fundamentally about business resilience and operational continuity. Whilst JLR’s immediate containment response demonstrates good practice, this incident also highlights opportunities for the entire industry to strengthen collective defences.

Rather than viewing these challenges pessimistically, we can use them as catalysts for improving our security postures. Every incident teaches us something valuable about threat actor techniques, defensive gaps, and recovery processes.

For organisations reviewing their own cyber security programmes, remember that this work is about protecting people: your employees, customers, and communities. It’s demanding work that requires ongoing attention, but it’s also work that makes a real difference in keeping our digital world safe and functional.

To everyone at JLR working through this challenging time: the cyber security community recognises your professionalism and dedication. These situations test organisations in extraordinary ways, and your response will undoubtedly provide valuable lessons that help protect others in the future.

We’re all in this together, which is what Cyber Security Unity (as the name suggests with Unity in the title) is all about – building a stronger, more collaborative and more inclusive cyber security community to help combat the growing cyber threat.

Together we’ll continue building more resilient, secure systems that protect what matters most.