Lessons Learned from the Jaguar Land Rover Cyber Attack

The cyber attack that paralysed Jaguar Land Rover's operations earlier this month serves as a case study for manufacturing executives battling rising cyber threats.

The British luxury carmaker – a subsidiary of Tata Motors in India – experienced a significant system shutdown, forcing factory closures in the UK, China, Slovakia and India. The incident has underscored the broad impact of coordinated cyber campaigns on manufacturing operations.

Initially, JLR insisted that customer data remained unaffected by the cyber breach. However, the company later confirmed that data was compromised during the attack.

So, what valuable lessons can manufacturers learn and how can they protect themselves?

Impact on JLR's operations

The breach has been attributed to the Scattered Spider cybercrime group, notorious for targeting prominent retailers, including Marks & Spencer.

The timing of the attack was particularly problematic as it coincided with the September vehicle registration period when new UK number plates were released.

This caused substantial disruptions, preventing dealerships from registering vehicles and generating significant delivery backlogs. Given JLR's production of approximately 1,000 vehicles daily, with an estimated daily turnover of US$96m as per former Land Rover Chief Engineer Dr. Charles Tennant, the attack resulted in notable operational and financial implications.

Nevertheless, cybersecurity experts observed that JLR's swift response exemplified effective incident management practices. The company's decision to promptly isolate impacted systems likely curtailed further attacker movement within the network infrastructure.

Adopting zero trust architecture

JLR's experience underscores why zero trust architecture is advocated as a primary security model for modern manufacturing operations.

The approach moves away from traditional perimeter-based defences, instead assuming networks may already be compromised, focusing on rapid containment and response.

“We used to think prevention was the goal,” explains Dr. Larry Ponemon, Founder of the Ponemon Institute. “But it’s not practical anymore. The focus now needs to be on how fast you can contain the damage."

This approach is particularly relevant for manufacturers operating legacy systems that are challenging to upgrade.

“All networked OT assets, factory users, cloud services, equipment and support engineers accessing OT assets remotely must be verified before being trusted,” notes Suvabrata Sinha, CISO in residence at Zscaler.

John Kindervag, the creator of Zero Trust, elaborates on its advantages: “We take this whole problem called cybersecurity and we break it down into small bite-sized chunks. The most I can screw up at any one time is a single protected surface.”

Exposing supply chain weaknesses

The JLR incident also sheds light on the interconnected vulnerabilities in modern manufacturing ecosystems.

Suppliers have struggled to access crucial ordering systems, leading to cascading supply chain disruptions.

This disruption in the “giant database” hampered partners from fulfilling orders and dispatching components, ultimately affecting automotive assembly and maintenance services globally.

Katie Barnett, Director of Cyber Security at Toro Solutions, emphasises: “Early detection of supply chain vulnerabilities is vital to minimising the impact of such breaches."

Ultimately, the incident exemplifies how a single point of failure can jeopardise an entire network of manufacturing partners.

Manufacturing at risk

The manufacturing sector has emerged as a primary target for cybercriminals.

IBM X-Force research highlights four consecutive years of the sector being the most attacked industry, with the World Economic Forum reporting attack costs escalating by 125% annually.

Incidents across the manufacturing landscape reinforce this pattern. Nucor Corporation, the largest steel producer in the US, initiated network shutdowns following unauthorised access, while medical device manufacturer Masimo reported decreased manufacturing capacity after a cyber incident across multiple locations.

Dray Agha, Senior Manager of Security Operations at Huntress, adds: “In 2025, there are still companies that wait until a devastating cyberattack to invest in a robust security posture.”

He observes that JLR "appears to have had processes and procedures in place to 'lessen the effect' and facilitate a return to normal operations.”

The key takeaway from the JLR incident lies in fostering organisational resilience, rather than pursuing prevention.

Dr. Darren Williams, Founder and CEO of BlackFog, concludes: “For the automotive sector – increasingly reliant on connected technologies, digital platforms, and complex supply chains – the JLR breach is a clear warning of the financial, operational and brand damage that cyber attacks can cause."