In this week’s bulletin, Charlie looks at Jaguar Land Rover’s recent hack and gives an insight into lessons learned from the event.
I have been wanting to write something on JLR for a few weeks, and with them announcing they have got parts of their manufacturing sites up and running, I thought it was a good time to write something on the event. The breach has had far-reaching impacts on the organisation’s production, as well as a ripple impact across their supply chain, impacting multiple tiers of suppliers. According to Autocar magazine, this is 700 different companies employing 150,000 people. In doing my research, I very quickly realised that there is a vast amount to write on everything, from operations to technology and from supplier to finance, all of which are substantial subjects in their own right. I thought this week, I would write on what I learned about the technological aspects of this incident. As this incident is so high-profile, there has been quite a lot written on the technical aspects of the hack, whereas for many other less high-profile hacks, there is very little written and the organisation concerned gives away very little technical detail. This is due to a combination of factors — they have been told to by their response support, either law enforcement, NCSC or forensic suppliers, to prevent informing the hacker what they know, and I believe it is about them being embarrassed, as I suspect an often occurrence is some of the access gained has been due to poor IT practices on behalf of the hacked organisation.
The following is a timeline of the events arranged around their cyber statements, only this coming week will some productions start.
| Date | Event |
| Sunday, 31 August 2025 | Attack begins; suspected entry via external compromise. |
| Monday, 1 September 2025 | JLR shuts down IT systems and halts production as a precaution. |
| Tuesday, 2 September 2025 | Company publicly confirms the cyber incident and major disruption. |
| Saturday, 6 September 2025 | Update issued: recovery efforts underway with cybersecurity partners. |
| Wednesday, 10 September 2025 | JLR confirms some data has been affected and regulators notified. |
| Tuesday, 16 September 2025 | Production pause extended to 24 September as investigation continues. |
| Tuesday, 23 September 2025 | Further extension of production pause to 1 October. |
| Thursday, 25 September 2025 | Digital systems, invoicing, and logistics services partially restored. |
| Monday, 29 September 2025 | Announcement that manufacturing will restart in the coming days. |
| Tuesday, 7 October 2025 | Full production restarts; supplier financing scheme introduced. |
So, what have I learned?
1. Integrated technology ecosystem
In one of the articles I read, it said that JLR’s systems were more complex than NASA’s, with five main manufacturing sites in the UK plus manufacturing sites in Slovakia, Pune in India, Brazil, and China. All systems are interconnected to allow data to flow from the factories to their systems. Their systems appear to be vertically integrated, so that from the order, to the manufacturing and the supply chain, to the financing of the vehicles, are all integrated. A lot of the JLR vehicles are made to order, and often each one is made for the customer, as there is a wide range of optional extras and different configurations of each vehicle. When building each car, the production line needs to know exactly which parts and colours to fit on each car, and the supply chain has to deliver to each member of the production line the exact parts in the right order, for them to put on the car they are building. This complexity means that as soon as the systems are not available, no cars can be built. It is not as easy as the Model T Ford where every car was the same, which makes production a lot easier. The operational technology (OT) is built into this ecosystem, so everything is connected and works together, right from the machinery on the shop floor to the software which runs production. Where there are suppliers, they are again integrated into JLR’s systems through APIs. This ecosystem lets manufacturing be just in time, runs lean, and ensures that as JLR is at the top end of vehicle manufacturing, it gives its customers bespoke customised vehicles. TCS (JLR’s outsourced IT provider) president of manufacturing, Anupam Singhal, highlighted that JLR run “smart factories where everything is connected” to try to “remove waste” and use artificial intelligence to “avoid plant downtime”. As all systems are so integrated, any cyber attack affecting one part can very quickly spread to another part, and the openness of the systems necessitated the close down of all systems to prevent the spread of a cyber attack.
2. SAP key system
I did a lot of work for a cement manufacturing company, developing their business continuity. When I was doing their BIA, having conducted interviews across multiple countries and sites, I was surprised by how few IT systems they had. They ran their entire business from the production of cement to the sale to customers on SAP. Several articles I read mentioned that this is similar to JLR, as they also ensure their business is run on SAP. This included all manufacturing elements, supply chain as well as financial elements, and customer orders. It is, therefore, not surprising that any impact on SAP will stop the organisation’s operations. In my reading, it is unclear whether JLR suffered from a ransomware attack, which encrypted their systems, or if their disruption was a result of an operational shutdown as a means of containing the breach. If it were a ransomware attack, the restoration of systems is in line with the organisation having to recover from backups, but owing to the complexity of the systems and their integrated nature, it has taken five weeks to restore their systems and start manufacturing again, and they aim to have all sites up and running by the 18th October. Marks and Spencer’s took 10-12 weeks to get their full operations up and going. So having one main system on which you run your entire organisation is a single point of failure, the impact of this we can see in the JLR event.
3. Patching
According to Autocar, ‘A member of the group (hacker) revealed that a well-known flaw in SAP Netweaver, a third-party software used by JLR, was exploited to access the data. The US’s Cybersecurity and Infrastructure Security Agency warned about the flaw earlier this year. An update for the software was released, but whether JLR applied it is unknown.’ [1] A patch for this was released in April 2025 which would have given JLR 4 months to patch their systems, but as the quote states, we don’t know whether they applied the patch. If this attack was due to not implementing a patch, it could be a very costly mistake.
4. Tata Consultancy Services (TCS)
TCS, which is a division of Tata, manages the IT for JLR as an outsourced contract. Recently, a number of cyber attacks attributed to supply chain attacks were through an outsourced partner that has been the route into a cyber incident and data breach. TCS are also the outsourced IT provider for M&S and Co-op, both of which have had recent cyber attacks. [2] Reuters reported in May that TCS was the “means of access” for hackers to get into M&S’s systems when they were attacked. TCS said in a June statement that “no TCS systems or users were compromised”. There has also been speculation that TCS might have been somehow involved in the JLR incident. We may never be told how the attack happened, but I am sure TCS are aware that to have three major organisations compromised by a cyber attack, may seem more than coincidence.
5. Data breach – as always
This incident follows a familiar pattern I have discussed many times in the bulletin, where the company’s public statement on their website said ‘At this stage there is no evidence any customer data has been stolen’, posted on the 2nd September, followed by, eight days later, “As a result of our ongoing investigation, we now believe that some data has been affected and we are informing the relevant regulators.”. Saying ‘no evidence’ caveats that we haven’t found any data being lost, but those who are well informed know that 95% of ransomware attacks involve data exfiltration, so it’s likely that data has gone.
According to the IT company Cyfirma, in their report on the JLR cyber breach, they stated that they were aware JLR data had been breached because it had been posted on the dark web by SHINYHUNTERS, the hackers, who posted several screenshots of internal domains, debug logs, and backend code to demonstrate they had access to JLR systems on 3rd September. I am not sure whether they shared this information with JLR, perhaps JLR were aware and didn’t want to admit it until days later. The data, according to Cyfirma, seems to be technical information rather than PPI, so there is less urgency to admit to a data breach, as there are no individuals to notify about data loss.
6. Previous breach
Earlier this year, JLR had suffered a previous data breach that leaked gigabytes of sensitive information, including proprietary documents, source code, and employee and partner data. On March 10th, 2025, roughly 700 stolen internal JLR documents were published on a dark forum.
There will be many lessons learned from this incident over the coming weeks and months, and if a report becomes available, I will share it with you. The integration of JLR’s systems highlights a dilemma faced by many organisations. When all the systems are tightly integrated into one seamless whole, it benefits business operations; however, in the event of a cyber attack, it can create a massive single point of failure.
[1] Autocar – “JLR restarts production following September hack” – https://www.autocar.co.uk/car-news/new-cars/jlr-restarts-production-following-september-hack
[2] The Guardian – “Inside the Jaguar Land Rover hack: stalled smart factories, outsourced cybersecurity and supply chain woes” – https://www.theguardian.com/business/2025/sep/20/jaguar-land-rover-hack-factories-cybersecurity-jlr
