Thousands of workers at Jaguar Land Rover (JLR) were told to ‘stay at home’, and customers are facing major delivery delays after a cyber attack forced the company to shut down production across its plants.
The incident, which began on Sunday, halted the UK’s biggest carmaker’s operations at sites in Solihull, Halewood, Wolverhampton and Castle Bromwich, disrupting retail systems during one of the busiest weeks of the year for new car registrations.
Dealers have been unable to process some of the new ‘76’ plates launched on 1 September, leaving its customers waiting longer for their vehicles, in some cases after already part-exchanging old cars.
JLR, which is owned by India’s Tata Motors, said it had “proactively shut down” systems to contain the cyber breach and was “working at pace” to restore operations.
The firm stressed there was “no evidence” of customer data being stolen and has reported the incident to the Information Commissioner’s Office (ICO).
Hacker group claims responsibility
A collective calling itself ‘scattered lapsus$ hunters’, an alliance of the ‘shiny hunters’, ‘lapsus$’ and ‘scattered spider’ groups, has claimed responsibility.
All of these subsidiaries have been linked to major corporate breaches in the past twelve months.
Sam Kirkman, director of services at NetSPI, noted this incident shows just how much harder cybercriminals are becoming to predict by pooling resources.
“JLR has stated that they took proactive steps to contain the breach and minimise its impact, which is commendable” he said.
The group has released only limited evidence of its involvement, with experts cautioning that attribution in such cases is often unclear.
Disruption at scale
The timing of the cyber attack, coinciding with the launch of the new registration plates, has been interpreted as strategic.
“Cybercriminals often aim for the biggest possible disruptive impact”, argued Jake Moore, global cybersecurity advisor at ESET.
“Striking at a time when more customers are likely to see potential delays…will have been a tactful decision made by the attackers.”
Patrick Burgess, a cybersecurity specialist at the Chartered Institute for IT, also warned the disruption could last “weeks, if not months”, if the firm’s core systems are affected.
The National Crime Agency confirmed it was investigating and working with partners to assess the incident.
Growing threat to manufacturers
The JLR breach follows a spate of high-profile cyber attacks on UK retailers and manufacturers, including Marks & Spencer, Co-op and Harrods.
Bridgestone Americas also reported a “limited cyber incident” on Sunday, the same day as JLR,in a sign the automotive sector is firmly in the crosshairs.
Comparitech data showed ransomware attacks on manufacturers jumped 57 per cent between July and August alone.
Experts have said criminals see the sector as particularly vulnerable because of the disruption that downtime can cause.
“Phishing, social engineering and account compromise remain the most common route of attack, while the size of targeted companies such as Harrods, M&S and Jaguar Land Rover show that no company is immune”, argued George Glass, associate managing director at Kroll.
For JLR, the immediate focus is restarting production lines that normally turn out around 1,000 cars a day.