The Tata Group has landed in troubled waters, this time with Jaguar Land Rover (JLR). Tata Motors’ British premium subsidiary contributes around 71% to the parent’s consolidated revenue and 79% to its profits (for FY2025), and has now encountered massive losses due to a cyberattack that crippled manufacturing units.

The company released a statement on September 16, saying that it has extended its current pause on production till September 24, after facing severe disruption from the cybersecurity attack since September 1.

The British automaker’s production being heavily automated, had to stop manufacturing across all factories, not only in Britain, but also in China, Slovakia and India to control damage. It has been more than two weeks since the company has not manufactured a single car, when a thousand cars are produced in a day globally.

This incident comes in as a blow after the British automaker recorded a decline in wholesale and retail sales by 10.7% and 15.1% in Q1FY2026 as a result of US tariffs and a reduced demand in China and Europe. The company also faced criticism for its Jaguar rebranding, with its electric fleet scheduled to be launched next year.

Fortune India delves deep to explain how the attack affects Britain’s largest automaker.

When did it all begin?

Jaguar Land Rover issued a notice about the company being impacted by a cyber incident, as dealers could not register new cars on September 1, which also coincides with one of the dates with the year’s highest registration. In the notice issued on September 2, the company had then said that there was no evidence that any customer data had been stolen, but retail and production activities had been ‘severely disrupted’.

JLR again announced on September 6 that the company was working with third‑party cybersecurity specialists and alongside law enforcement to restart global applications. On September 10, the company revealed that some data had been affected, and they would contact anyone as appropriate if they found that their data had been impacted.

On September 16, the company updated that they have extended the current pause in production until Wednesday, 24th September 2025. British newspaper The Telegraph reported on September 15 that the production shutdown could last until November, although JLR denied the news.

What losses has JLR suffered?

As per BBC reports, the cost to JLR itself is likely to be between £5 million and £10 million per day, meaning it has already lost between £50 million and £100 million. The carmaker reported that underlying pre-tax profits dropped 49% to £351m in the three months to June, with £58.27 million as profit after taxes (PAT).

Who is affected?

A Reuters report stated the financial impact of the stoppage on JLR's British supply chain includes many smaller companies and supports 104,000 jobs across the country. The news agency also found that JLR has asked its task force of 33,000 employees to stay at home.

Andy Palmer, a one-time senior executive at Nissan and former boss of Aston Martin, told the BBC that these smaller companies and suppliers, who are dependent on the car maker as the main customer, could go bust. “I would not be at all surprised to see bankruptcies,” he says.

Palmer added that he believes suppliers will have begun cutting their headcount dramatically to keep costs down. "You hold back in the first week or so of a shutdown. You bear those losses. But then, you go into the second week, more information becomes available, and then you cut hard. So, layoffs are either already happening or are being planned,” he was quoted as saying to the BBC.

Is there a government intervention?

As per a September 18 report by BBC, a group of MPs from the West Midlands and Merseyside has written to the government, asking for financial help for supply-chain firms affected by the attack.

As per an official statement dated September 17 by Unite, the UK’s automotive union, workers throughout the JLR supply chain are being laid off with reduced or zero pay, with some being advised to sign up for universal credit.

Unite said that a scheme must be introduced as soon as possible to ensure workers’ jobs remain open during the time it takes for JLR to recover its operations. The union has already had reports that supply chain workers impacted by the cyberattack at JLR are being laid off.

The severity of the delays means the banked hours agreements that usually accompany supply chain manufacturing shutdowns are not adequate. Unite general secretary Sharon Graham said, “Ministers need to act fast and introduce a furlough scheme to ensure that vital jobs and skills are not lost while JLR and its supply chain get back on their feet.”

Has Tata Motors released any statement?

Tata Motors, on September 1, informed the exchanges, NSE and BSE, about the IT security incident, that the company would “provide requisite disclosure as and when received from JLR”. There have been no further statements since then.

Who was responsible for the cyberattack?

As per several British media outlets, a group with names as Scattered Spider, Lapsus$, and ShinyHunters, collectively called “Scattered LAPSUS$ Hunters”, claimed responsibility for the cyber‑attack on JLR. This same group, with teens as the primary hacker population, has been linked to previous attacks on several different British retailers, such as Marks and Spencer, which apparently cost the retail company £300 million in online sales. Scattered Spider was also responsible for Co-op and Harrods facing a wave of cyberattacks through social engineering and impersonating IT help desk staff.

As per an article by FalconFeeds.io, a cloud-native SaaS platform that specialises in cyberthreat intelligence, the cybercrime group had a Telegram channel where it broadcasted leaks, extortion threats, and hacker boasts. They would use meme-style threats and polls as interactive elements to engage with the audience.

ShinyHunters targeted Google, Cisco and Salesforce using voice phishing. The hacking group deployed DragonForce ransomware to encrypt the victim’s network.

What was the group’s motive?

FalconFeeds.io told Fortune India that Scattered Spider tends to target organisations that operate consumer-facing, high-visibility brands, which have a large user base with valuable PII/financial data. By breaching into systems of known brands, it provides maximum media impact when disrupted. “In many cases, the choice of targets has as much to do with attention economics as with financial gain. For instance, airlines and automotive firms also represent critical infrastructure with interconnected IT/OT systems — attractive for hackers looking to demonstrate capability,” FalconFeeds.io’s spokesperson said.

What is the true cost of cyberattacks for companies?

Cybersecurity Ventures, a global cyber market-watcher, estimates that the costs of cyber ransomware will reach $57 billion annually. The 2025 calculation breaks down to $4.8 billion per month, $1.1 billion per week, $156 million per day, $6.5 million per hour, $109,000 per minute, and $2,400 per second. For 2015, the annual cost of ransomware was estimated at $325 million. They also predict that ransomware will cost the world more than $20 billion per month in 2031, up from $20 billion per year in 2021.

Financial damages aside, such attacks also cost companies their reputation, as they erode customers’ trust, while business partners, both existing and potential, would hesitate to continue doing business. It also leads to negative publicity, further hampering the name of the companies. These costs, though hidden, escalate brand degradation.

Where is the Scattered LAPSUS$ Hunters group now?

On September 12, Scattered LAPSUS$ Hunters said that they are shutting down their operations. "Our objectives having been fulfilled, it is now time to say goodbye," in a Telegram post and on breachforums, a platform for hackers. But officials working in cybercrime intelligence think that this “retirement” is a smokescreen. According to Cian Heasley, Acumen Cyber Principal Consultant and Threat Intelligence Lead, the group would be fearful of mounting legal action for their attacks. "It's a transparent move that suggests its members are buying some breathing time, panicking about the threat of prison, and arguing behind the scenes about how much trouble they are actually in and the need to be cautious," said Heasley to SC Media.