JLR Halts Production Worldwide After Cyberattack

Jaguar Land Rover (JLR) has encountered a severe cyber attack impacting its global production facilities and retail operations.

The crisis compelled the renowned British luxury carmaker to momentarily disable its IT systems and suspend manufacturing processes at vital sites.

The cyber incident did not compromise customer data but enforced substantial operational and commercial interruptions, underscoring the escalating cyber threats within the automotive sector.

This attack is part of a slew of cyber intrusions targeting reputable brands like M&S, Co-op and Harrods.

The impact of JLR's cyber incident

JLR, owned by India's Tata Motors, confirmed the targeting of its computer system, leading to production halts at its Merseyside and Solihull plants in the UK, along with other global sites.

The company instructed employees either not to report to work or to leave the premises to manage the attack.

This interruption came at a time when the release of new car registration plates on 1st September intensified business activities.

In a statement, JLR says: “We took immediate action to mitigate its impact by proactively shutting down our systems. We are now working at pace to restart our global applications in a controlled manner.

“At this stage there is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted.”

Operational and financial repercussions

In the automotive realm, with its highly integrated production and supply chains, such cyber incidents can swiftly cause drastic operational disruptions.

The integration of IT and operational technology (OT) systems controlling the manufacturing processes often necessitates halting production to avert further attack damage or propagation.

The loss incurred from each inactive hour can amount to millions in lost output and sales.

The problem extended to dealerships that were unable to register new vehicles, preventing customers from legally taking delivery of their cars and causing direct revenue losses for both the company and its retail partners.

Dray Agha, Senior Manager of Security Operations at Huntress, says: “This incident highlights the critical vulnerability of modern manufacturing, where a single IT system attack can halt a multi-billion-pound physical production line, directly impacting sales, especially during a key period like a new registration month. 

“Cybercriminals know this and many leverage the stopped clock of business functions as the leverage they need to force capitulation of ransomware demands.

“It is not known if ransomware was involved in the Jaguar Land Rover attack, but ransomware actors target manufacturers for a reason.

“While the quick shutdown of systems was a textbook damage limitation tactic that likely prevented a data breach, it underscores the immense recovery challenge companies now face in safely rebooting complex, interconnected operations after an attack. 

“In 2025, there are still companies that wait until a devastating cyberattack to invest in a robust security posture. 

“Fortunately, Jaguar Land Rover appears to have had processes and procedures in place to ‘lessen the effect’ and return to business as usual. 

“Containment and recovery are crucial parts of responding to an incident and many organisations still do not have the detection and response technologies to neutralise security intrusions.”

Cybersecurity challenges for automotive manufacturers

JLR’s cyber breach reflects the increased risk and exposure automotive manufacturers have to sophisticated cyber threats.

The sector's digitised operations involving a myriad of suppliers and partners create an attractive environment for cybercriminals.

Katie Barnett, Director of Cyber Security at Toro Solutions, adds: “The recent JLR cyber incident underscores the critical importance of robust cyber security, especially when protecting the intricate supply chains that underpin modern manufacturing. 

“Early detection of supply chain vulnerabilities is vital to minimising the impact of such breaches.

“These events are highly disruptive and stressful for everyone involved in restoring systems and resuming operations. They serve as a further reminder to reassess your IT resilience.

“While third-party vendors are essential to supply chain efficiency, it’s important to ask the following questions: Do they have the right security controls in place? Can you detect system infiltration early enough to contain the damage? Are your incident response plans ready to activate and restore business continuity at speed?

“With its complex global networks, the automotive industry remains a high-value target for cyberattacks. 

“Continued investment in third-party risk and resilience audits, real-time monitoring and rapid response strategies is essential to contain threats and recover swiftly, ensuring operational integrity and customer trust.”

The rise in cyber attacks on household names

A sharp uptick in cyberattacks targeting household-name brands in 2025 is underscoring how exposed even well-resourced companies remain to increasingly sophisticated threats.

Retail giants including M&S, Co-op and Harrods, as well as Adidas and Pandora, have all faced disruptive incidents ranging from ransomware deployments to unauthorised system access.

The fallout has included weeks-long operational disruption, compromised data and heavy financial impacts.

M&S was among the hardest hit. The company estimates a £300m (US$402m) profit impact tied to lost sales, supply chain disruption and incident-response costs. The attack, which lasted nearly a month and spanned the fashion, home and food divisions, forced a suspension of online orders and contributed to empty shelves in stores.

Beyond the immediate hit to performance, the incident dented customer trust and involved theft of customer data.

Co-op confronted an attempted ransomware breach that prompted system shutdowns across 2,300 stores. The defensive move disrupted supply chains and exposed sensitive member data

Harrods prevented an attack from taking hold but restricted internet access and shut down select systems as a precaution, highlighting the operational trade-offs businesses face when containing threats.

Security analysts link this calibre of incident to organised, well-funded groups that blend social engineering and phishing with exploitation of third-party vendor weaknesses.

The pattern exposes how interdependent and digitised modern retail operations have become: a compromise of a single partner or system can ripple across point-of-sale, e-commerce and logistics, making any disruption potentially devastating.

Industry experts say the wave of breaches spotlights three priorities for boards and executives: continuous cybersecurity vigilance, rigorous third‑party risk management and rapid incident response capabilities.

Together, these disciplines are increasingly viewed as essential to maintaining business continuity and protecting consumer data amid a shifting threat landscape .With attackers refining their techniques and targeting the connective tissue of digital supply chains, the cost of underinvestment has rarely been clearer.

Shankar Haridas, Head of UKI at ManageEngine, says: “These back-to-back security incidents, especially on major global brands, is definitely a matter of concern. 

“The impact that this has on UK businesses especially is profound and increasingly concerning. This brings to the forefront the relentless challenges organisations face in protecting their digital assets.

"While businesses continue to invest heavily in frontline defences, attackers are finding new ways in – exploiting weak links in digital supply chains or infiltrating through trusted vendors.

“With the rise of AI, the threat is reimagined like never before and driving an ever greater velocity of attacks.

"No organisation can close every gap. That is why security can no longer be seen as an insurance policy – it must be embedded as a core strategic priority and a fundamental part of every organisation’s toolkit.”

Nivedita Murthy, Senior Security Consultant at Black Duck, adds: “The first step after detecting a security incident is containment. 

“Jaguar did the right thing by shutting down its IT system before the attack spread further and caused damage. 

“As part of the post-incident activity, they would be able to identify how the attackers were able to access the systems and take advantage of them. 

“This incident is another reminder to retailers that emphasises the need to work on securing business operations as well as customer data to ensure smooth production and uncompromised trust in software, as attackers are increasingly targeting retail operators to access customer base information.

“People within an organisation tend to be the weakest links and any information gained on customers could be used for future phishing attacks or scams. 

“The fraud industry is thriving and more and more people are falling victim due to the fact that a lot of information on customer activity is available online.”