Jaguar Land Rover (JLR) suffered a **major cyberattack** in September 2025, attributed to the hacking group *Scattered Lapsus$ Hunters*. The attack exploited a known vulnerability (**CVE-2015-2291**) in Intel’s Ethernet Diagnostics Driver, leading to **widespread disruption** across manufacturing, IT systems, and dealership operations. Key production sites in the UK (**Solihull, Halewood**) and international facilities were forced to halt vehicle production, while dealerships faced issues registering new vehicles. The company proactively shut down IT systems to contain the breach, but recovery is expected to take **weeks**, with significant financial losses due to downtime (millions per day), supply chain disruptions, and potential regulatory fines under **GDPR**. The attack highlights vulnerabilities in JLR’s **just-in-time logistics** and interconnected supply chain, where a single breach cascaded into operational paralysis. The incident marks the **second cyberattack on JLR in 2025**, following an earlier ransomware attack by *HELLCAT*. Experts warn of long-term reputational damage, erosion of customer trust, and heightened scrutiny from regulators. The company is now prioritizing cybersecurity upgrades, including **identity-based attack defenses** and resilience measures, as the automotive sector faces escalating threats from sophisticated hacking collectives.
Source: https://itbrief.co.uk/story/jaguar-land-rover-hit-by-cyberattack-forcing-uk-production-halt
TPRM report: https://www.rankiteo.com/company/jaguar-land-rover_1
"id": "jag2102021100825",
"linkid": "jaguar-land-rover_1",
"type": "Cyber Attack",
"date": "6/2015",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Automotive',
'location': 'Global (HQ: UK)',
'name': 'Jaguar Land Rover (JLR)',
'size': 'Large Enterprise',
'type': 'Automotive Manufacturer'},
{'industry': 'Automotive',
'location': 'India/Global',
'name': 'Tata Motors',
'size': 'Large Enterprise',
'type': 'Parent Company'},
{'industry': 'Automotive/Logistics',
'name': 'Unnamed Third-Party Supplier(s)',
'type': 'Supplier'}],
'attack_vector': ['Exploitation of CVE-2015-2291 (Intel Ethernet Diagnostics '
'Driver)',
'Potential Third-Party Supplier Compromise',
'Identity-Based Attack/Social Engineering'],
'date_detected': 'early September 2025',
'date_publicly_disclosed': 'September 2025',
'description': 'Jaguar Land Rover (JLR) suffered a significant cyberattack in '
'early September 2025, leading to production halts at key UK '
'sites (Solihull, Halewood) and global disruptions across '
'manufacturing, IT systems, and dealership operations. The '
"attack, claimed by the 'Scattered Lapsus$ Hunters' group, "
'exploited CVE-2015-2291 in Intel Ethernet Diagnostics Driver '
'for Windows. The incident forced JLR to proactively disable '
'IT systems, causing weeks-long recovery efforts, financial '
'losses, and supply chain ripple effects. The attack '
"underscores vulnerabilities in interconnected 'just-in-time' "
'logistics and third-party supplier risks, with broader '
'implications for Tata Motors and regulatory compliance (e.g., '
'GDPR).',
'impact': {'brand_reputation_impact': 'High (eroded customer trust, '
'regulatory scrutiny)',
'downtime': 'Weeks (full recovery expected to take several weeks)',
'financial_loss': 'Millions of dollars per day (downtime costs, '
'revenue loss, operational expenses)',
'legal_liabilities': ['Potential GDPR Fines',
'Regulatory Investigations'],
'operational_impact': ['Production Halts',
'Vehicle Registration Delays',
'Supply Chain Disruptions',
'Dealer Operations Impaired'],
'revenue_loss': 'Significant (hourly losses in millions, extended '
'business interruption)',
'systems_affected': ['Manufacturing Facilities (UK: Solihull, '
'Halewood; International Sites)',
'Global IT Systems',
'Dealership Operations',
'Supply Chain Networks',
'Operational Technology (OT)']},
'initial_access_broker': {'entry_point': ['Potential Third-Party Supplier',
'Exploited CVE-2015-2291 '
'Vulnerability'],
'high_value_targets': ['Manufacturing Systems',
'Global IT Infrastructure',
'Supply Chain Networks']},
'investigation_status': 'Ongoing (controlled restart phase, full recovery '
'expected in weeks)',
'lessons_learned': ["Interconnected 'just-in-time' logistics amplify "
'cyberattack impacts.',
'Third-party supplier vulnerabilities pose significant '
'risks.',
'Proactive system shutdowns can limit breach scope but '
'prolong recovery.',
'Asymmetric cyber warfare requires resilience-focused '
'strategies (assumed breach mindset).',
'Identity-based attacks and social engineering are '
'critical vectors.',
'Budget allocations for integrated IT/OT/IoT monitoring '
'and rapid detection are essential.'],
'motivation': ['Financial Gain', 'Disruption', 'Data Theft'],
'post_incident_analysis': {'corrective_actions': ['Accelerated Patch '
'Management for Critical '
'Vulnerabilities',
'Enhanced Third-Party '
'Cybersecurity Audits',
'Deployment of Integrated '
'IT/OT Monitoring Solutions',
'Updated Incident Response '
'Playbooks for Operational '
'Resilience',
'Investment in Rapid '
'Detection and Recovery '
'Capabilities'],
'root_causes': ['Exploitation of Unpatched '
'Vulnerability (CVE-2015-2291)',
'Inadequate Third-Party Risk '
'Management',
'Late Breach Detection (attackers '
'already within IT infrastructure)',
'Over-Reliance on Interconnected '
'Systems Without Resilience '
'Controls']},
'recommendations': ['Shift from prevention-only to resilience-based '
'cybersecurity (detect, respond, recover).',
'Enhance supply chain cybersecurity assessments and '
'third-party risk management.',
'Invest in unified alerting systems for IT, OT, and IoT '
'devices.',
'Implement robust backup and recovery protocols for '
'interconnected systems.',
'Prioritize security awareness training (though '
'acknowledge human fallibility).',
'Conduct regular red team exercises to test incident '
'response plans.'],
'references': [{'source': 'e2e-assure (Simon Chassar, Interim COO)'},
{'source': 'Modu (Justin Browne, CTO)'},
{'source': 'Cybanetix (Martin Jakobsen, CEO)'},
{'source': 'QUONtech (Michael Reichstein, CISO)'},
{'source': 'Cybersecurity Industry Observers (Unnamed)'}],
'regulatory_compliance': {'regulations_violated': ['Potential GDPR '
'Non-Compliance']},
'response': {'containment_measures': ['Proactive IT System Shutdown',
'Disconnection of Affected Networks'],
'enhanced_monitoring': 'Planned (post-incident)',
'incident_response_plan_activated': True,
'recovery_measures': ['Controlled Restart of Global Applications',
'Infrastructure Restoration',
'Cyber Protection Updates'],
'remediation_measures': ['System Wipe/Clean/Recovery from '
'Backups',
'Password Resets',
'Firewall Rule Corrections',
'Patch Deployment'],
'third_party_assistance': ['e2e-assure (incident response)',
'Unnamed Security Partners']},
'threat_actor': 'Scattered Lapsus$ Hunters (associated with Scattered '
'Spider/Shiny Hunters)',
'title': 'Major Cyberattack on Jaguar Land Rover Disrupts Global Operations',
'type': ['Cyberattack', 'Production Disruption', 'Supply Chain Attack'],
'vulnerability_exploited': 'CVE-2015-2291'}