Jaguar Land Rover Cyber Attack: What’s Taking So Long to Recover?

When you think of Jaguar Land Rover, you think sleek design and serious engineering — not cyber criminals grinding production to a halt. But that’s exactly what happened. A cyber attack recently forced JLR to hit the brakes across its supply chain, proving that even the biggest names in the game aren’t untouchable.

Our Chief Executive Officer, Chris, and Cyber Security Analyst, Alex, sat down and discussed what went wrong, who was behind it, and the critical security lessons every business needs to learn.

The blunt truth? We don’t really know yet. Jaguar Land Rover has acknowledged a “systems outage” that began in early September, forcing shutdowns across multiple UK plants, but beyond that: complete radio silence.

That lack of transparency invites speculation. As Alex points out, this could be another ransomware play — we’ve seen it happen to major UK businesses, including M&S, The Co-operative Group and Harrods. But if it isn’t ransomware, then the real question is: what triggered JLR to panic enough to pull the plug on their systems?

Jaguar Land Rover first noticed the attack at the start of September 2025 and immediately hit the brakes — systems shut down, production paused, and updates trickling out ever since. Nearly a month later, they’re still not fully back online. The company has said it’s working with a cyber security specialist, has kept the Information Commissioner’s Office and government informed, and has been issuing careful statements along the way.

Originally, they’d hoped to have everything running again by mid-September. That deadline’s since been pushed back, with 1^st October now the target date. Their latest update offered a glimmer of progress: financial systems are back up. However, most of their operations are still stuck in neutral.

And here’s the kicker — this isn’t even JLR’s first breach this year. Back in March, they lost around 350GB of data across two separate incidents linked to an infostealer campaign active since 2018. Even worse, the usernames and passwords exposed in that leak were still active at the time — meaning anyone with that information could have logged in without any resistance. That’s basic cyber hygiene 101 and letting it slide makes a company an easy target.

The group claiming responsibility goes by the name Scattered Lapsus$ Hunters. They’re actually three cyber attack teams from similar backgrounds who have teamed up for this one. All three are known to interact on The Com, an underground communications hub where threat actors trade tools, tips, and bragging rights.

They’re not your typical amateur hackers. They’re heavily into phishing, vishing, and social engineering, exploiting human behaviour rather than just technical vulnerabilities. They’ve also been linked to aforementioned recent attacks on major UK names like Marks & Spencer, the Co‑operative Group, and Harrods.

Alex points out that targeting Jaguar Land Rover fits their established pattern. They’re on a roll hitting big UK retail and industry giants — it’s their modus operandi. Combine that with JLR already being a bit of a soft target after earlier breaches this year, and it’s easy to see why the attackers picked them next.

Chris and Alex speculated on why Jaguar Land Rover is still limping along almost a month after the attack. Alex floated a few possibilities — purely conjecture, since JLR hasn’t released details:

1. Refusing to pay the ransom – if this really is ransomware, maybe they’re taking the slow, painstaking route of rebuilding their infrastructure cleanly rather than handing over money.
2. Recovery complications – perhaps their recovery process hit snags along the way.
3. Dragging their heels – maybe negotiations with the attackers are ongoing, slowing things down.
4. Paying the ransom anyway – or possibly they’ve already paid, and we just don’t know.

It could be any combination of the above, but again, this is all speculation. The only certainty is that we don’t have visibility — JLR hasn’t shared the details.

Alex points out that, in general, organisations with immutable, air-gapped backups and well-tested disaster recovery plans are often able to bounce back faster. Other recent incidents, like the Marks & Spencer attack, showed systems gradually coming back online within a month. In JLR’s case, the only confirmed progress so far is their financial systems. With so few details being shared, it’s impossible to know what’s really going on behind the scenes — but what it does highlight is just how important backup and recovery strategies are in keeping downtime from stretching on.

Chris flagged a curious detail: Jaguar Land Rover was reportedly midway through renewing their cyber insurance at the time of the attack, meaning they weren’t covered when it hit. An insider speaking to The Insurer confirmed that JLR didn’t have an active policy. Most reports suggest their previous coverage had lapsed, and the new one hadn’t been finalised yet.

If that’s true, it’s a serious misstep. Basic rule of thumb: if your old policy has expired, don’t leave a gap — make sure coverage continues until the new one kicks in. Chris uses this as another reminder that, no matter how sophisticated your security team or tech stack, getting the basics right matters first.

There’s another layer to JLR’s challenge. As a manufacturing giant, they have to manage both IT (information technology) and OT (operational technology) networks. OT covers the machinery, sensors, and control systems that actually run production lines. Overlaying modern IT security practices — like zero trust principles — onto OT environments is notoriously tricky. Many OT machines rely on legacy systems with limited or no software updates from vendors, which makes patching vulnerabilities and securing the network a real headache. It’s not just about firewalls and antivirus; it’s about keeping a production line running safely while trying to lock down a sprawling, partially outdated network.

Getting the basics right is everything. Alex has previously broken down how groups like Scattered Spider operate: social engineering is their bread and butter. They’ll try to trick IT help desks into handing over password resets or even full authentication access — sometimes letting them reset multi-factor authentication (MFA) for their own use. This makes strict authorisation procedures and policies around account changes critical.

Next up: EDR — endpoint detection and response. Having EDR in place on every device isn’t optional; it’s your early warning system. It monitors activity, spots unusual behaviour, and can stop attacks before they spread across the network. If it’s not everywhere, you’ve got blind spots that attackers will happily exploit.

For manufacturers, one of the biggest mistakes is not isolating your OT network. OT — the machinery, sensors, and production systems — should be on a separate physical network from your main IT systems. If it isn’t, attackers who breach your primary network suddenly have a direct path into production, potentially causing massive downtime or safety risks.

Then there’s patching. Security updates should happen weekly, not monthly. Attackers reverse-engineer vulnerabilities as soon as patches are released; the longer you wait, the easier it is for them to exploit you. Weekly may still not be perfect, but it’s a solid standard to aim for. And here’s the kicker: you must maintain that cadence consistently. Fall behind, and you start building technical debt — outdated systems and unpatched holes piling up — which eventually circles back to failing the basics that keep you secure.

In short: if your fundamentals aren’t solid, no flashy tech or expensive consultants can fully protect you.

It’s easy to fall into the trap of thinking technology alone will save you. Tools like CrowdStrike, Sophos, SentinelOne and the rest are excellent — but they’re not a silver bullet. Too many organisations treat them as an outsourced responsibility: “We’ve bought the shiny thing, so we’re safe.”

Unless someone is actively looking after those tools — deploying them correctly, configuring policies for your specific environment, and maintaining them day to day — they won’t protect you the way you think they will. Security doesn’t come in a box.

As Alex puts it: “Security is a constant, proactive journey, and as soon as you pause, you’ll start to stagnate. You’ll suddenly realise your authentication policies are out of date because you haven’t looked at them in five years, and you’re still using a standard username and password for external authentication.”

Technology should be an enabler — but only if it’s combined with the right people, processes, and proactive mindset. Otherwise, it’s just a very expensive comfort blanket.

And that’s the wider problem. In the market, we see plenty of big organisations with a habit of throwing money at tech rather than recognising that security is a journey — one that cuts across people, processes, and technology. You’ve got to take the time to understand what your actual problems are and then tackle them in a structured, security-first way. Keep piling tools onto your stack without a fully thought-out plan, and all it takes is one small oversight to become the gap attackers slip through.

The fallout from this attack doesn’t just stop at Jaguar Land Rover’s factory gates. When production grinds to a halt, it ripples outward — hitting the thousands of suppliers that keep the business moving. With JLR unable to take deliveries, many suppliers have been left with parts piling up and cashflow under pressure.

The UK government has even stepped in with a rather unusual proposal: to buy parts directly from JLR’s suppliers and then sell them back to the automaker later, at a slightly higher price. It’s a short-term fix designed to keep suppliers afloat and production ready to restart when JLR gets back on its feet. But it also highlights just how serious the impact of a single cyber attack can be on an interconnected supply chain.

For JLR, the costs aren’t just financial. There’s reputational damage, strained supplier relationships, and a spotlight on their cyber resilience. For the wider industry, it’s a stark warning: if a company of this size and status can be knocked offline for weeks, nobody can afford to assume they’re safe.

Jaguar Land Rover’s situation is a brutal reminder that cyber attacks don’t just hit IT systems — they hit operations, supply chains, reputations, and balance sheets. Whether this was ransomware or something else entirely, the fact remains: weeks of downtime is catastrophic for any business. The lesson for others is crystal clear — don’t wait for a breach to expose the cracks. Get the basics right, invest in the right people as well as the right technology, and treat security as the ongoing journey it really is. Because if an organisation of JLR’s size and resources can be hit this hard, it shows just how important it is for every business to take cyber resilience seriously.

Don’t wait for a cyber attack to test your defences.

We help businesses build security strategies that stand up to real-world threats — from ransomware to supply chain compromises. Get in touch to find out how we can help you nail the basics, tighten up your recovery plan, and keep your business moving when hackers come knocking.