A cyber attack has “severely disrupted” production at Jaguar Land Rover (JLR), including its two major plants in the United Kingdom.
The company, a subsidiary of India’s Tata Motors, confirmed that it immediately moved to contain the breach and is urgently working to bring operations back online.
JLR’s retail division has also been badly affected during what is usually a busy period for car deliveries, though the automaker stressed there is currently no evidence of any customer data being compromised.
The attack, which began on Sunday, coincided with the rollout of the latest set of new registration plates on Monday, September 1. The intrusion was detected while still underway, prompting JLR to shut down its IT systems to minimise the potential damage.
At JLR’s Halewood plant in Merseyside, employees were informed by email on Monday morning not to report to work, while some staff already on-site were sent home, according to the Liverpool Echo. A similar situation unfolded at the company’s Solihull factory, with workers also told to leave.
‘Took Immediate Action’
The company said in a statement: “We took immediate action to mitigate the impact by proactively shutting down our systems. We are now working at speed to restart our global applications in a controlled manner.” It added that production and retail operations were heavily affected but insisted that no evidence pointed to stolen customer data.
Although JLR itself did not explicitly use the phrase “cyber-attack,” its parent company, Tata Motors, disclosed in a filing to the Bombay Stock Exchange that the incident involved an “IT security issue” causing problems on a global scale.
The UK’s National Crime Agency confirmed awareness of the disruption, saying: “We are aware of an incident impacting Jaguar Land Rover and are working with partners to better understand its impact.”
In 2023, JLR signed a five-year, £800 million contract with Tata Consultancy Services to accelerate its digital transformation and bolster cybersecurity measures across its operations.
The shutdown in production now represents another setback for the automaker, which recently reported profit losses linked to rising costs from US tariffs.
M&S Hackers Claim Responsibility
A group of English-speaking hackers calling themselves the “Scattered Lapsus$ Hunters” has claimed responsibility for the breach. The group, active on Telegram, has posted screenshots allegedly taken from within JLR’s IT networks and boasted about disrupting the automaker’s global production lines.
The same collective has previously been linked to cyber attacks on UK retailers, including Marks & Spencer, earlier this year. In a mocking post, the hackers taunted JLR by writing: “Where is my new car, Land Rover.”
Speaking privately via text, a member of the gang who claimed to be a spokesperson described how the attackers allegedly accessed JLR’s systems. They are reportedly attempting to extort the company for money, though they declined to say whether they had stolen private data or deployed malware inside the network.
The group has so far provided little concrete proof, and security experts caution that such gangs often exaggerate their access to boost attention.
However, images shared by the hackers include what appear to be internal troubleshooting documents and IT system logs.
The Information Commissioner’s Office has confirmed that JLR reported the incident, and the regulator is now reviewing the details.
Widespread Disruption
Production at both the Halewood and Solihull sites remains heavily impacted, with employees sent home as JLR works to restore systems.
The company has not disclosed the exact nature of the attack but reiterated that proactive shutdowns were initiated to contain the fallout.
The hackers’ name, Scattered Lapsus$ Hunters, reflects a blend of young cybercriminals tied to an underground network known as “The Com.”
Earlier this year, the UK’s National Crime Agency warned of increasing threats from The Com, which is believed to serve as a breeding ground for loosely organised hacking groups.
This particular gang appears to have splintered from notorious groups such as Shiny Hunters, Lapsus$, and Scattered Spider—all of which have made headlines for recent high-profile cyber attacks.
The Telegram channel used by the hackers currently has around 52,000 subscribers, where the group continues to brag about intrusions and trade inside jokes.
It is their fourth such channel after earlier ones were shut down.
Scattered Spider, another offshoot, has previously carried out cyber attacks on UK retailers, including M&S, Co-op, and Harrods, earlier this year.
In July, the National Crime Agency arrested four individuals—three young men aged 17 to 19 from London and the West Midlands, and a 20-year-old woman in Staffordshire—in connection with those attacks. All have since been released on bail.
(With inputs from IBNS)
