EN
EN
Book an introduction
Blog

Jaguar Land Rover: a case study on cyber resilience

At the end of August 2025, Jaguar Land Rover (JLR), the largest British car manufacturer, fell victim to a large-scale cyberattack. The company referred to it as a “cyber incident” in an official statement and shut down its IT systems worldwide to prevent further spread and damage.

The consequences were immediately noticeable. Production came to a complete standstill at several factories in the United Kingdom and abroad. It is estimated that more than a thousand vehicles could not roll off the production line every day. Dealer systems and registration tools were not working, bringing deliveries and customer service to a standstill.

JLR confirmed that “some data has been affected.” This points to possible data theft or exfiltration, although it remains unclear whether this concerns customer data, internal company documentation, or intellectual property.

 

How did it happen?

JLR itself shares few technical details, but based on public information and similar incidents, a likely scenario can be outlined.

Many attacks on multinationals follow a recognizable pattern:

  1. Initiële toegang – often via phishing, misuse of stolen login credentials, or vulnerabilities in external systems. At JLR, it is suspected that SaaS platforms in the supply chain also played a role.

  2. Privilege escalation – attackers increase their rights and gain access to critical accounts or domain controllers.

  3. Lateral movement – using tools such as Mimikatz or Cobalt Strike, they spread through the network and find their way into production environments.

  4. Impact phase – systems are encrypted (ransomware) and at the same time data is stolen to exert additional pressure (double extortion).

A hacker collective with ties to Scattered Spider and Lapsus$ claimed responsibility for the attack. This has not been officially confirmed, but the method fits their profile: social engineering attacks combined with advanced access techniques.

 

What was the impact on the company?

The attack had far-reaching consequences, both operationally and financially.

  • Production: factories in Solihull, Halewood, and Wolverhampton were shut down for weeks. This meant thousands of missed vehicles and major disruptions to delivery schedules.

  • Employees: more than 30,000 staff members were temporarily unable to work. Some unions even called on employees to apply for government support.

  • Supply chain: hundreds of suppliers, often smaller companies that are heavily dependent on JLR, saw their orders disappear. For some, this meant temporary closure or layoffs.

  • Finances: the shutdown cost an estimated tens of millions of pounds per day. In addition to lost revenue, there are recovery costs, potential claims, and reputational damage.

  • Strategy: the attack puts pressure on JLR’s transition to electric vehicles and digital “smart factory” processes. Projects are being delayed or reviewed.

  • Reputation: uncertainty surrounding possible data leaks is undermining the confidence of customers, investors, and regulators.

 

How could this have been prevented?

No company can say with certainty that a cyberattack will never succeed. Attackers are becoming increasingly professional, using advanced techniques and often finding weak links, whether in technology, processes, or human behavior. What is possible, however, is to limit the damage and recover more quickly.

The attack on JLR demonstrates how important it is to be prepared:

  • Network resilience: a clear separation between office IT and production environments makes it more difficult to penetrate critical processes from an initial intrusion.

  • Controlling access: strict identity and access management policies with modern authentication reduce the chances of one compromised account leading to a major outage.

  • Recovery capacity: regularly tested backups and disaster recovery plans are essential for a faster restart.

  • Detection and response: organizations that recognize anomalies early and immediately activate an incident response process keep the impact limited.

  • Crisis culture: transparent communication and a well-trained crisis team help maintain trust among employees, customers, and regulators, even when systems are down.

The point is not that JLR would have been “safe” with these measures in place, but that companies that have such mechanisms in place recover faster, suffer less operational damage, and emerge stronger from an incident.

 

Conclusion

The attack on Jaguar Land Rover shows how vulnerable even the largest industrial players are. A single successful breach can shut down a multinational company for weeks, with enormous economic and social consequences.

The incident makes it clear that cybersecurity is not merely an IT responsibility, but a strategic issue that directly determines business continuity. Companies that invest in network segmentation, robust recovery procedures, strong access security, and a clear crisis framework not only increase their resilience but also protect their future.