Jaguar Land Rover (JLR) suffered a **major cyberattack in late August 2024**, attributed to the criminal gang *Scattered Lapsus$ Hunters*. The attack exploited a vulnerability in **SAP Netweaver**, forcing JLR to **shut down global manufacturing sites** (UK, China, India, Brazil, Slovakia) for weeks. The disruption halted production of **~1,000 vehicles/day**, costing an estimated **£5M/day in lost profits** and **30,000+ 'lost' vehicles** that cannot be recovered. Supply chain collapse triggered **layoffs, short-time work schedules, and financial strain** across **13,000+ jobs** in the UK’s automotive sector, with suppliers facing **16% loan interest rates** and **emergency bank guarantees**. The UK government intervened with a **£1.5B emergency loan** to stabilize suppliers, marking an unprecedented bailout for a private, foreign-owned firm. The attack exposed **legacy IT vulnerabilities** from JLR’s Ford-era infrastructure, compounded by prior **unaddressed warnings** (e.g., June 2024 credential leaks by *Deep Specter Research*) and a **March 2024 ransomware breach** linked to the same hackers. Recovery remains slow, with **weeks needed to restore full capacity** and long-term reputational damage.
TPRM report: https://www.rankiteo.com/company/jaguar-land-rover_1
"id": "jag0132901100725",
"linkid": "jaguar-land-rover_1",
"type": "Cyber Attack",
"date": "3/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Thousands (delayed vehicle '
'deliveries, unresolved orders)',
'industry': 'Automotive',
'location': ['UK (West Midlands headquarters)',
'Global (factories in China, India, '
'Brazil, Slovakia)'],
'name': 'Jaguar Land Rover (JLR)',
'size': 'Large (part of Tata Motors; ~40,000+ '
'employees globally)',
'type': 'Automotive Manufacturer'},
{'industry': 'Technology',
'location': 'India (global operations)',
'name': 'Tata Consultancy Services (TCS)',
'size': 'Large (part of Tata Group)',
'type': 'IT Services Provider'},
{'customers_affected': 'Dozens of firms (77% reported '
'negative effects, layoffs, '
'financial losses)',
'industry': 'Automotive Supply Chain',
'location': 'West Midlands, UK',
'name': 'Black Country Automotive Suppliers (UK)',
'size': 'SMEs to mid-sized (13,000+ employees in the '
'region)',
'type': ['Manufacturers',
'Parts Suppliers',
'Logistics Providers']},
{'customers_affected': 'JLR’s Ingenium engine '
'production',
'industry': 'Automotive',
'location': 'Northern Ireland, UK',
'name': 'Linamar Corp. (Dunmurry Plant)',
'size': 'Mid-sized (40+ agency staff laid off; 200+ on '
'short-time schedules)',
'type': 'Automotive Parts Manufacturer'},
{'customers_affected': 'Subframe components for JLR',
'industry': 'Automotive',
'location': 'UK',
'name': 'Gestamp (Newcastle Plant)',
'type': 'Automotive Components Manufacturer'},
{'customers_affected': 'JLR suppliers',
'industry': 'Automotive Supply Chain',
'location': 'Walsall, UK',
'name': 'Michael Beese’s Presswork Firm',
'size': 'Small (17 employees; layoffs initiated)',
'type': 'Metal Pressings Manufacturer'}],
'attack_vector': ['Exploitation of SAP Netweaver Vulnerability',
'Credential Theft (via Infostealer Malware)',
'Command and Control Servers'],
'customer_advisories': ['Limited updates to affected customers (e.g., Navarro '
'Jordan’s delayed Land Rover Defender).',
'Dealers lacked information to provide timely '
'responses.',
'No public compensation or remediation offers '
'announced.'],
'data_breach': {'data_exfiltration': 'Yes (hackers published images of '
'internal systems)',
'file_types_exposed': ['PDFs (vehicle documentation)',
'System screenshots',
'Potential databases'],
'sensitivity_of_data': 'High (internal operational and '
'proprietary data)',
'type_of_data_compromised': ['Internal system screenshots',
'Vehicle documentation',
'Potential credentials (from '
'infostealer malware)']},
'date_detected': '2024-08-31',
'date_publicly_disclosed': '2024-09-early',
'description': 'A major cyberattack on Jaguar Land Rover (JLR) in late August '
'2024 led to the shutdown of manufacturing sites worldwide, '
'causing hundreds of millions in financial losses and severe '
'supply chain disruptions. The attack was claimed by the '
"criminal gang 'Scattered Lapsus$ Hunters,' which exploited a "
'vulnerability in SAP Netweaver. The UK government intervened '
'with a £1.5 billion emergency loan to mitigate the economic '
"fallout, highlighting the attack's broader impact on jobs and "
"regional economies. JLR's recovery has been gradual, with "
'production resuming in phases but facing long-term '
'operational and reputational challenges.',
'impact': {'brand_reputation_impact': ['Negative publicity during Jaguar’s '
'rebranding as an all-electric luxury '
'marque',
"Criticism of 'woke' advertising "
'compounded by operational failures',
'Erosion of trust among suppliers and '
'customers'],
'customer_complaints': ['Delayed vehicle deliveries (e.g., Navarro '
'Jordan’s Land Rover Defender)',
'Lack of transparency from dealers',
'Frustration over unresolved orders'],
'data_compromised': ['Internal systems documentation',
'Vehicle documentation',
'Potential customer/employee data '
'(unconfirmed)'],
'downtime': 'Weeks (manufacturing halted from late August; partial '
'restart began September 25, 2024)',
'financial_loss': 'Hundreds of millions of dollars (estimated £5 '
"million/day in lost profits, 30,000+ 'lost' "
'vehicles)',
'operational_impact': ['Complete halt of global production (1,000+ '
'vehicles/day disrupted)',
'Supply chain bottlenecks',
'Layoffs and short-time work schedules at '
'supplier firms',
'Storage space shortages for unused parts'],
'revenue_loss': 'Estimated £5 million/day (£150+ million for ~30 '
'days)',
'systems_affected': ['Manufacturing systems (UK, China, India, '
'Brazil, Slovakia)',
'SAP Netweaver platform',
'Supply chain logistics',
'Production planning databases']},
'initial_access_broker': {'entry_point': ['Exploited SAP Netweaver '
'vulnerability',
'Stolen credentials (via '
'infostealer malware in March 2024 '
'Hellcat attack)'],
'high_value_targets': ['Manufacturing systems',
'Vehicle design '
'documentation',
'Supply chain logistics '
'data'],
'reconnaissance_period': 'Months (evidence of '
'targeting since at least '
'June 2024; linked to '
'earlier March 2024 '
'intrusion)'},
'investigation_status': 'Ongoing (collaboration with NCSC and law '
'enforcement; root cause analysis incomplete)',
'lessons_learned': ['Legacy IT infrastructure (from Ford era) created '
'vulnerabilities; incremental upgrades insufficient.',
'Third-party risk management critical (TCS’s role in '
'cybersecurity questioned).',
'Early warnings (e.g., Deep Specter Research’s June '
'alert) must be acted upon.',
'Supply chain resilience requires proactive coordination '
'with SME suppliers.',
'Government bailouts for cyber incidents may create moral '
'hazard, reducing private-sector cybersecurity '
'incentives.'],
'motivation': ['Financial Gain (likely ransomware or data extortion)',
'Disruption',
'Data Theft'],
'post_incident_analysis': {'corrective_actions': ['Phased restart of systems '
'with enhanced monitoring.',
'Review of network '
'segmentation and '
'air-gapping policies.',
'Potential overhaul of SAP '
'Netweaver and other legacy '
'platforms.',
'Supply chain resilience '
'assessments.',
'Government-led review of '
'cybersecurity standards '
'for foreign-owned critical '
'firms.'],
'root_causes': ['Legacy IT infrastructure with '
'overlapping systems (Ford-era '
'foundations).',
'Inadequate segmentation between '
'internet-connected and factory '
"systems ('holes' in air-gapped "
'environments).',
'Failure to act on early warnings '
'(e.g., Deep Specter Research’s '
'June 2024 alert).',
'Credential theft via infostealer '
'malware (linked to March 2024 '
'Hellcat attack).',
'Over-reliance on third-party IT '
'services (TCS) without robust '
'oversight.']},
'ransomware': {'data_exfiltration': 'Yes (claimed by threat actors)',
'ransom_paid': 'No (no confirmation of payment; UK government '
'banned ransom payments for critical '
'infrastructure)'},
'recommendations': ['Replace or modernize legacy systems (e.g., SAP '
'Netweaver) with zero-trust architectures.',
'Enhance third-party vendor cybersecurity audits '
'(especially for IT service providers like TCS).',
'Implement automated threat detection for credential '
'theft (e.g., infostealer malware).',
'Develop supply chain contingency plans for prolonged '
'downtime.',
'Clarify government roles in cyber incident response to '
'avoid ad-hoc bailouts.',
'Improve transparency in customer communications during '
'incidents.'],
'references': [{'date_accessed': '2024-10-05',
'source': 'Bloomberg News',
'url': 'https://www.bloomberg.com/news/articles/2024-10-04/jaguar-land-rover-cyberattack-shows-uk-s-vulnerability-to-hackers'},
{'date_accessed': '2024-06-29 (email to JLR)',
'source': 'Deep Specter Research (Shaya Feedman)'},
{'date_accessed': '2024-09',
'source': 'Black Country Chambers of Commerce Survey'},
{'date_accessed': '2024-10',
'source': 'Royal United Services Institute (RUSI) - Jamie '
'MacColl'}],
'regulatory_compliance': {'regulatory_notifications': ['UK National Cyber '
'Security Centre '
'(NCSC) involved',
'Potential GDPR '
'implications if '
'customer data '
'breached '
'(unconfirmed)']},
'response': {'communication_strategy': ['Limited public statements',
'Internal updates to '
'employees/retailers/suppliers',
'No detailed disclosure of ransom '
'demands'],
'containment_measures': ['Systems taken offline immediately',
'Isolation of affected networks',
'Backup restoration'],
'enhanced_monitoring': 'Likely (post-incident reviews ongoing)',
'incident_response_plan_activated': 'Yes (controlled, phased '
'restart of operations)',
'law_enforcement_notified': 'Yes (collaboration with UK law '
'enforcement)',
'network_segmentation': 'Partial (some factory systems walled '
"off, but 'holes' exploited)",
'recovery_measures': ['Phased restart of manufacturing (began '
'September 25, 2024)',
'Supply chain coordination',
'Government-backed financial support'],
'remediation_measures': ['Patching SAP Netweaver vulnerability',
'Credential rotation',
'Network segmentation reviews'],
'third_party_assistance': ['Cybersecurity specialists (unnamed)',
'UK National Cyber Security Centre '
'(NCSC)']},
'stakeholder_advisories': ['UK government guaranteed £1.5 billion emergency '
'loan to stabilize supply chain.',
'Automotive industry analysts (e.g., Charles '
'Tennant) warned of long-term production gaps.',
'Unite union (Norman Cunningham) highlighted '
'worker hardships from layoffs/short-time '
'schedules.'],
'threat_actor': ['Scattered Lapsus$ Hunters (coalition of Scattered Spider, '
'Lapsus$, Shiny Hunters)',
"Hacker using username 'Rey' (linked to March 2024 Hellcat "
'ransomware attack)'],
'title': 'Jaguar Land Rover (JLR) Cyberattack Disrupts Global Manufacturing '
'Operations',
'type': ['Cyberattack', 'Supply Chain Disruption', 'Operational Shutdown'],
'vulnerability_exploited': 'SAP Netweaver (specific details undisclosed)'}