In late August 2025, Jaguar Land Rover (JLR), one of the giants of the European automotive industry, was the victim of one of the most serious cyber attacks ever recorded in the sector. The attack paralyzed global production for about five weeks and caused economic losses estimated at between £1.9 and £2.5 billion, with profound repercussions on British and international supply chains.
The hacker group: Scattered Lapsus Hunters
The attack was claimed by a hacker supergroup known as Scattered Lapsus Hunters, formed from the merger of three cybercriminal groups: Scattered Spider, Lapsus$, and ShinyHunters. These groups specialize respectively in sophisticated initial access and social engineering, recruiting insiders to steal source code, and collecting data for large-scale extortion.
The techniques used combine:
- Ransomware, to encrypt and block access to critical data and systems;
- Exploitation of software vulnerabilities, in particular a flaw in the SAP NetWeaver system, a key tool for JLR’s business and supply chain management;
- Advanced social engineering, using phishing, vishing, and psychological manipulation to steal credentials from employees and insiders;
- Lateral movement within the corporate network with privilege escalation and use of Tor traffic to evade controls;
- Data exfiltration and publication as leverage for public extortion on dedicated channels.
Hackers maintain a veritable internal market to recruit insiders and offer rewards for persistent access to VPNs, Active Directory, and corporate clouds, targeting high-impact and international extortion campaigns.
Operational and economic impact
The attack caused an immediate suspension of production at the main plants in Halewood, Solihull, and Wolverhampton, as well as at international sites in Slovakia, China, and India, halting approximately 5,000 vehicles per week for five weeks. This generated direct losses for JLR of around £108 million per week in the UK alone, while the impact on the national economy affected over 5,000 organizations and thousands of furloughed workers.
The problems also extended to inventory issues and sales delays, exacerbating the crisis in the automotive supply chain. To mitigate the economic damage, the British government intervened with a £1.5 billion loan guarantee.
Compromised systems and stolen data
The intrusion primarily affected the SAP NetWeaver system, through which hackers gained access to production and logistics systems. Industrial control and line automation systems were then compromised, as well as software development systems: approximately 350 GB of data was stolen, including source code, development logs, employee information, and data relevant to the supply chain.
Despite initial denials, JLR confirmed that personal and technical data had been compromised and undertook to inform those affected in line with the European GDPR regulation.
Containment and recovery measures
At the first sign of compromise, JLR adopted a proactive shutdown and isolation strategy for its global IT systems. Production activities were suspended to prevent further damage, and compromised networks were disconnected and segmented to limit the attackers’ lateral movement.
A gradual and controlled recovery plan for systems and production was then initiated, including upgrading IT capacity, especially for critical services such as billing and order management.
JLR partnered with the UK National Crime Agency, external incident response teams, and the UK government, the latter providing financial support. At the same time, enhanced security measures were implemented: system patches, access control, staff training, and continuous monitoring.
Forensic investigations and in-depth analyses
The investigation involved an internal team and external agencies specializing in digital forensics. System, network, and authentication logs were analyzed in depth, with particular attention to suspicious traffic to Tor endpoints and command and control activities. Digital evidence was collected and preserved with a rigorous chain of custody, using state-of-the-art tools such as FTK Imager, Splunk, Wireshark, Cuckoo Sandbox, Volatility Framework, and collaborative platforms for forensic data management.
The response framework followed was that of NIST Cybersecurity Incident Response, divided into the phases of preparation, identification, containment, eradication, recovery, and lessons learned.
Consequences and reflections
After about six weeks of downtime, production has begun to resume, but doubts remain about the complete normalization and long-term security of JLR’s systems. The case, which has now become a topic of parliamentary debate, highlights the fragility of global production chains in the face of sophisticated cyberattacks and the urgent need for targeted investment in cybersecurity.
The cyberattack on Jaguar Land Rover represents one of the biggest digital disasters in economic terms in the UK, a stark warning to the entire industrial sector and to national and international companies facing new cybersecurity challenges.