Cyber Attack at JLR’s UK Factories a Wake-Up Call for the Global Manufacturing Sector

LONDON, Sept. 18, 2025 — Earlier this week, Britain's largest carmaker, Jaguar Land Rover informed that a sudden halt in production due to a cyber-attack, would now extend to September 24, stretching the stoppage at its British plants to more than three weeks.

As reported by Reuters, the luxury carmaker said it shut down its systems in early September to deal with the hack that has severely disrupted its retail and manufacturing operations.

JLR’s three factories in Britain, which on a normal day manufactures about 1,000 cars, will now be unable to restart until September 24, the company informed earlier this week.

The three affected factories include Solihull, Halewood and Wolverhampton.

The cyber-attack has hit JLR and dented the employee confidence.

The incident has led to a direct impact on 33,000 employees and their families as majority of the staff has been asked not to report at work.

The social engineering aspect of the Jaguar Land Rover cyber-attack prominently involved highly targeted phishing and vishing campaigns orchestrated by threat groups such as Scattered Spider, Lapsus$, and ShinyHunters.

Jon Lucas, Director and Co-Founder of Hyve Managed Hosting, says, “The recent cyber-attack on Jaguar Land Rover underlines how today’s threats extend well beyond data theft as well as serves as a stark reminder that no organisation is immune to today’s cyber threats, regardless of size or market influence.”

Red Flags Manufacturers Need to be Watchful of

Social Engineering Tactics: The stolen credentials from earlier breaches were used by credential harvesting and Vishing attackers to conduct persuasive phone (vishing) campaigns. The attackers in the JLR cyber-attack impersonated as trusted parties to trick employees into revealing sensitive access information or bypassing security steps. The critical information was further turned into a lethal method for deeper infiltration into corporate systems.

Highly Targeted Phishing: Personal details obtained from previous data leaks and social media were used by the attackers for carrying out phishing attacks on JLR.

This enhanced credibility of emails or calls, which were targeted to specific individuals within the organization.

Infostealer Malware: Few of the infiltrations originated from infostealer malware, which discreetly captured login credentials after being delivered via phishing emails or malicious downloads. The exploitation of these credentials, including those for critical applications like Jira took place even years after initial compromise, caused by insufficient credential management and revocation.

Multi-Factor Authentication Bypass: Having a dubious distinction of leveraging techniques to bypass or fatigue multi-factor authentication, the attacker groups were able to further enable unauthorized entry even in the presence of additional security layers.

This concoction of targeted social engineering, especially using prior credentials and convincing communication is the key in enabling initial access and lateral movement that led to the significant JLR breach.

Timeline of the JLR Cyber Attack

In late August this year, the initial infiltration began when threat actors employed sophisticated social engineering techniques to gain their first foothold within JLR's network infrastructure. There was advanced reconnaissance and target identification phases were completed.

On August 31, JLR's internal security systems detect anomalous network activity. Immediate containment protocols activated, triggering emergency response procedures.

Between September 1-2, a global shutdown of JLR took place that saw proactive systems shutdown across Halewood, Solihull, Wolverhampton plants. International operations were also affected. Dealership vehicle registration systems got compromised during peak registration period.

On September 3, "Scattered Lapsus$ Hunters" publicly claimed responsibility via Telegram channels. Screenshots of internal IT systems were posted as proof of compromise.

Between September 9-10, there was an official confirmation and NCSC’s role was confirmed. JLR acknowledged data compromise and initiated regulatory notifications including ICO reporting.

On September 24, production halt was extended further, indicating complex system restoration challenges and comprehensive security hardening requirements.

“We have taken this decision as our forensic investigation of the cyber incident continues, and as we consider the different stages of the controlled restart of our global operations, which will take time,” JLR said in a statement on its website.

Chris McDonald, minister in the Department of Business and Trade, told Reuters he had met the company to “discuss their plans to resolve this issue and get production started again.”

Notably, financial aspect of the production shutdown is a key concern as the Unite trade union has warned of job losses and said government support would be needed given the lengthy stoppage.

A cyber-attack that shut down Jaguar Land Rover’s factories for more than three weeks has sidelined 33,000 workers and revealed how social engineering tactics can cripple a major manufacturer.

Inputs from Saqib Malik

Editing by David Ryder