Jaguar Land Rover (JLR) suffered a catastrophic cyberattack that forced a complete halt in production across multiple manufacturing plants, severely disrupting its IT systems and supply chain. The attack, claimed by the group *Scattered Lapsus$ Hunters*, involved ransomware deployment and data theft, including internal system files (e.g., SAP HOSTS file) posted publicly. The incident was so severe that JLR extended its operational shutdown, requiring a £1.5 billion UK government loan guarantee to stabilize finances, repay suppliers, and resume production. The attack threatened 34,000 direct jobs and ~120,000 supply chain roles, with long-term risks to the UK’s automotive sector. JLR lacked active cyber insurance at the time, exacerbating financial strain. Recovery involved coordination with the UK’s NCSC and law enforcement, with production restarting in phases after system restoration.
TPRM report: https://www.rankiteo.com/company/jaguar-land-rover_1
"id": "jag5092050092925",
"linkid": "jaguar-land-rover_1",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Automotive',
'location': 'UK (primarily West Midlands, Merseyside)',
'name': 'Jaguar Land Rover (JLR)',
'size': '34,000 employees (direct), ~120,000 jobs in '
'supply chain',
'type': 'Automaker'}],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['HOSTS file',
'Potentially other system/corporate '
'files'],
'sensitivity_of_data': ['High (internal system files)',
'Potentially sensitive corporate '
'data'],
'type_of_data_compromised': ['Internal HOSTS file from SAP '
'system',
'Unspecified corporate data']},
'date_publicly_disclosed': '2024-09-XX (earlier this month, exact date '
'unspecified)',
'description': 'A severe cyberattack on Jaguar Land Rover (JLR) forced the '
'automaker to halt production across multiple plants, leading '
'to significant supply chain disruptions. The UK Government '
'provided a £1.5 billion loan guarantee to restore operations. '
"The attack, claimed by 'Scattered Lapsus$ Hunters,' involved "
"ransomware deployment and data theft from JLR's SAP systems. "
'The company is gradually resuming operations with support '
"from cybersecurity specialists, the UK's NCSC, and law "
'enforcement.',
'impact': {'brand_reputation_impact': ['Potential damage to iconic British '
'brand',
'Impact on automotive sector '
'perception'],
'data_compromised': True,
'downtime': ['Production halted across multiple plants',
'Extended shutdown for recovery'],
'operational_impact': ['Supply chain disruption',
'Temporary closure of manufacturing plants',
'Delayed production restart'],
'systems_affected': ['IT systems',
'Manufacturing operations',
'SAP systems']},
'initial_access_broker': {'high_value_targets': ['SAP systems',
'Manufacturing IT '
'infrastructure']},
'investigation_status': 'Ongoing (collaboration with NCSC and law '
'enforcement)',
'motivation': ['Financial Gain', 'Disruption', 'Data Theft'],
'post_incident_analysis': {'corrective_actions': ['System recovery',
'Enhanced cybersecurity '
'collaboration with NCSC',
'Supply chain restoration '
'via loan guarantee']},
'ransomware': {'data_encryption': True, 'data_exfiltration': True},
'references': [{'source': 'UK Government announcement (Business and Trade '
'Secretary Peter Kyle)'},
{'source': 'JLR public statement on operational restart'},
{'source': "The Insurer report on JLR's cyber insurance "
'status'},
{'source': 'Telegram posts by Scattered Lapsus$ Hunters'}],
'response': {'communication_strategy': ['Public statements on operational '
'restart',
'Notifications to colleagues, '
'retailers, and suppliers'],
'containment_measures': ['System recovery efforts',
'Controlled, phased restart of '
'operations'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['£1.5 billion UK Government loan guarantee',
'Resuming manufacturing operations',
'Paying suppliers to restore supply chain'],
'third_party_assistance': ['Cybersecurity specialists',
"UK Government's NCSC"]},
'stakeholder_advisories': ['Notifications to employees, retailers, and '
'suppliers about phased restart'],
'threat_actor': ['Scattered Lapsus$ Hunters (alleged)',
'Members linked to Scattered Spider, Lapsus$, ShinyHunters '
'(claimed)'],
'title': 'Catastrophic Cyberattack on Jaguar Land Rover (JLR) Disrupts '
'Production and Supply Chain',
'type': ['Cyberattack', 'Ransomware', 'Data Breach']}