Key Facts: Jaguar Land Rover faces production shutdown that began August 31, 2025, now extended until October 1. The attack is believed to be costing the company £50 million a week. 33,000 workers sent home, with the company’s wider UK supply chain supporting a further 104,000 workers. The Financial Times reports that JLR had no cyber insurance in place when the attack occurred, with sources saying the company was still negotiating a deal with insurance broker Lockton when the attack happened.

Attack Timeline and Hacker Claims

The cyberattack began on August 31, 2025, forcing Jaguar Land Rover to pause production on September 1. A Telegram channel calling itself Scattered Lapsus$ Hunters has claimed responsibility for Jaguar Land Rover’s cybersecurity incident, sharing a screenshot of Jaguar Land Rover’s internal IT systems.

The channel’s name merges three English-speaking hacker collectives: Scattered Spider, Lapsus$, and ShinyHunters. Security researchers report that Scattered Spider was linked to high-profile attacks on M&S, the Co-op and Harrods earlier this year.

On September 3, 2025, while sharing news links related to the Jaguar Land Rover recent cyber incident, the Scattered Spider Lapsus$ Hunter Group also posted the following screenshot alongside. From the screenshot, we find a domain ‘jlrint.com’ which is most likely a Jaguar Land Rover Internal domain. The screenshot below reveals an internal JLR infotainment issue (SIMS-23441) related to EV charging mode transitions in the PIVI system.

Production Shutdown Extensions

JLR first announced the attack on September 2, posting on its website that it had been “impacted by a cyber incident” and was “proactively shutting down” its systems. The company initially extended the production pause until September 24.

UPDATE 9/23/25: JLR has delayed resuming production until October 1. “We have made this decision to give clarity for the coming week as we build the timeline for the phased restart of our operations and continue our investigation,” a spokesperson for the company said.

“Our teams continue to work around-the-clock alongside cybersecurity specialists, the National Cyber Security Centre and law enforcement to ensure we restart in a safe and secure manner,” the company said.

Financial Impact and Insurance Gap

The attack is believed to be costing the company £50 million a week. Reuters reports that JLR has closed three plants in the U.K. that would normally be producing around 1,000 vehicles per day.

The Financial Times reports that JLR had no cyber insurance in place when the attack occurred. The British media reported that the company was still negotiating a deal with insurance broker Lockton when the attack happened.

The attack coincided with the UK’s “New Plate Day,” intensifying financial losses as dealers could not register or deliver vehicles.

Supply Chain Crisis

The shutdown affects its three UK plants, which normally build around 1,000 cars a day, and the company’s 33,000 employees have been told to remain at home in the meantime.

The attack has also impacted the car manufacturer’s wider UK supply chain, which supports a further 104,000 workers. Unite, the UK’s largest trade union, said staff had already been laid off on “reduced or zero pay”, adding that it was “unacceptable” for workers to shoulder the burden of the cyber attack.

“There’s anywhere up to a quarter of a million people in the supply chain for Jaguar Land Rover,” Bailey told the BBC.

Government Response and Support Measures

Ministers are exploring emergency support for JLR’s suppliers as the cyberattack continues to impact operations. Chris McDonald, the U.K.’s industry minister, said he was visiting Jaguar Land Rover alongside Peter Kyle, Business Secretary, to ‘host companies in the supply chain, to listen to workers and hear how we can support them and help get production back online.’

“The recent cyber incident is having a significant impact on Jaguar Land Rover (JLR) and on the wider automotive supply chain. The Government, including government cyber experts, are in contact with the company to support the task of restoring production operations, and are working closely with JLR to understand any impacts on the supply chain,” according to a joint statement from the Department for Business and Trade (DBT) and the Society of Motor Manufacturers and Traders.

Previous HELLCAT Breach Connection

Earlier this year, the HELLCAT ransomware group targeted JLR in separate attacks. The attack, attributed to a threat actor known as “Rey” [identified by breach tracking platforms as an active member of HELLCAT] on a dark forum, on March 10, 2025, posted roughly 700 internal JLR documents that were compromised.

The breach was enabled through stolen Jira credentials harvested via Infostealer malware, a known hallmark of HELLCAT’s operations. The exposed data includes development logs, tracking information, source code, and a large employee dataset with usernames, email addresses, display names, and time zones.

Just days after Rey’s initial disclosure, the JLR breach escalated when a second threat actor, “APTS,” appeared on DarkForums on March 14, 2025. APTS claimed to have exploited Infostealer credentials dating back to 2021, belonging to an employee who held third-party access to JLR’s Jira server. APTS also leaked an additional tranche of sensitive data, estimated at around 350 GB.

Data Breach Confirmation

By September 10, JLR disclosed that data had been affected. “As a result of our ongoing investigation, we now believe that some data has been affected and we are informing the relevant regulators,” the company said.

Cybersecurity agencies, including the National Cyber Security Centre and law enforcement, are now supporting the investigation.