Jaguar Land Rover is currently working to restore operations following a cyberattack that has significantly impacted its production and sales, with a hacker group known for a previous breach at Marks & Spencer claiming responsibility.
Jaguar Land Rover (JLR) has confirmed it is in the process of recovering from a substantial cyber incident that disrupted various segments of its global operations. In an effort to contain the situation, the company opted to suspend its IT systems, leading to significant interruptions in production lines and retail systems.
While dealerships were able to sell existing stock, they faced challenges in registering new vehicles for customers. Reports from employees and partners indicated extended delays, with some systems still being restored days later. JLR has indicated that it is pursuing a phased approach to bring operations back online, assuring stakeholders that there is no evidence indicating customer data was compromised during the breach.
The hacker collective associated with the Marks & Spencer cyber breach has publicly claimed responsibility for the attack on JLR. A post on a Telegram channel linked with groups such as Scattered Spider, Lapsus$, and ShinyHunters by a group named “Rey” included a screenshot displaying internal hostnames from JLR systems, lending credibility to their claim.
Cybersecurity analysts have noted that the screenshot is compatible with previously disclosed exploits on Telegram involving two vulnerabilities in SAP NetWeaver (CVE-2025-31324 and CVE-2025-42999). These vulnerabilities appear to have been exploited in sequence to achieve administrative access and execute commands. Although JLR has yet to confirm the authenticity of these allegations, evidence suggests that the attackers may have employed a sophisticated, multi-stage technical strategy to penetrate the organization’s systems.
“This cyber incident represents more than just an operational challenge; it’s fundamentally a revenue issue across the automotive supply chain,” remarked Tim Grieveson, CISO at ThingsRecon. “Data indicates that each hour of downtime in this sector could incur costs exceeding £1.6 million. A day of halted production directly translates to fewer vehicles available for sale, and dealers experience immediate revenue losses from their inability to register or deliver vehicles.”
Grieveson further elaborated that JLR must quickly quantify and communicate its financial exposure related to lost sales and delayed cash flow. Meanwhile, dealers should concentrate on customer relationship management—keeping consumers informed, identifying potential data breaches that may have broader implications, and seeking contingency support from the manufacturer. He cautioned that prolonged delays in remediation could led to significant long-term damage to customer trust.
JLR has not disclosed the number of sites impacted or an estimated timeline for full recovery; however, it has confirmed that systems are gradually coming back online. In a recent press release, the company assured stakeholders that its teams, along with external cybersecurity experts, continue to investigate the matter.
The current episode underscores how cyberattacks have evolved into more than isolated IT issues—they have become events capable of disrupting production, revenue streams, and brand reputation across industries. For companies like JLR, the imperative now rests on rapidly restoring operations while reassuring both customers and partners about security measures moving forward.
