Jaguar Land Rover is restoring systems after a cyberattack disrupted production and sales, with a hacker group previously linked to the M&S data breach claiming responsibility for the breach.
Jaguar Land Rover (JLR ) has confirmed it is recovering from a major cyber incident that forced parts of its global operations offline. Production lines and retail systems were disrupted after the company decided to shut down its IT environment as a containment measure.
The disruption meant dealers could continue selling vehicles already in stock, but were unable to register new cars for customers. Reports from staff and partners described significant delays, with some systems still being restored days later. JLR said it is working through a phased restart and that there is no evidence of customer data being compromised.
The hacker group connected to the Marks & Spencer data breach is stepping forward and claiming responsibility for the attack on Jaguar Land Rover. On a Telegram channel tied to collectives such as Scattered Spider, Lapsus$, and ShinyHunters, the group known as “Rey” posted a screenshot showing internal hostnames from JLR systems, giving credibility to the claim.
Analysts note that the screenshot aligns with the nature of an exploit revealed on Telegram earlier: a combination of two SAP NetWeaver vulnerabilities (CVE‑2025‑31324 and CVE‑2025‑42999), chained to gain administrative access and execute commands. While JLR has not verified the authenticity of these claims, the evidence suggests the attackers may be exploiting a sophisticated, multi-stage technical approach to breach the systems.
“This cyberattack isn’t just an operational setback. It is a revenue issue across the entire chain. Data suggests every hour of downtime in the automotive sector could cost upwards of £1.6M. Every day of halted production means fewer cars to sell, while dealers are losing immediate income from being unable to register or deliver vehicles, explained Tim Grieveson, CISO at ThingsRecon.
“For JLR, the priority is to quantify and communicate the financial exposure quickly, both in terms of missed sales and delayed cash flow. For dealers, the focus should be on customer management, which means keeping buyers informed, identifying potential data breaches that could feed down the chain, and pushing for contingency support from the manufacturer. The real risk is longer-term damage to customer confidence if remediation isn’t swift and transparent,” stressed Tim.
While JLR has not shared details on the exact number of sites affected or how long full recovery will take, it confirmed that systems are coming back online in stages. The company said in a press release that its teams, along with external cybersecurity specialists, are continuing investigations.
The incident shows how cyberattacks are no longer isolated IT problems but events that can disrupt production, revenue, and brand reputation across an entire sector. For automakers like JLR, the pressure is now on to restore operations quickly while reassuring both customers and partners that the road ahead is secure.
