How hackers got JLR on its knees, daily losses estimated at £5 mn-£10 mn

Tata Motors’ UK subsidiary, Jaguar Land Rover (JLR), has extended its current pause on production till September 24, after facing severe disruption from the cybersecurity attack since September 1.

The British automaker’s production being heavily automated, had to stop manufacturing across all factories, not only in Britain, but also in China, Slovakia and India to control damage. This is the third week that the company, which rolls out a thousand cars a day globally, has not manufactured a single car.

This incident comes in after the British automaker recorded a decline in wholesale and retail sales by 10.7% and 15.1% in Q1FY2026 on the back of US tariffs and a reduced demand in China and Europe. The company also faced criticism for its Jaguar rebranding, with its electric fleet scheduled to be launched next year.

As per a news report by BBC, the cyberattack will cost JLR anywhere between £5 million and £10 million per day, meaning it has already lost between £50 million and £100 million. The development comes even as the carmaker has reported a 49% drop in pre-tax profits to £351m in the three months to June.

A Reuters report stated that the financial impact of the stoppage on JLR's British supply chain, which includes many smaller companies and supports 104,000 jobs across the country. The news agency also found that JLR has asked its task force of 33,000 employees to stay at home.

Andy Palmer, a one-time senior executive at Nissan and former boss of Aston Martin, told the BBC that these smaller companies and suppliers, who are dependent on the car maker as the main customer, could go bust. “I would not be at all surprised to see bankruptcies,” he was quoted as saying.

Palmer added that he believes suppliers would have begun cutting their headcount dramatically to keep costs down. "You hold back in the first week or so of a shutdown. You bear those losses. But then, you go into the second week, more information becomes available, and then you cut hard. So, layoffs are either already happening or are being planned,” he told the BBC.

As per an official statement by Unite, the UK’s automotive union, it said that a scheme must be introduced as soon as possible to ensure workers’ jobs remain open during the time it takes for JLR to recover its operations. The union has already had reports that supply chain workers impacted by the cyberattack at JLR are being laid off.

The severity of the delays means the banked hours agreements that usually accompany supply chain manufacturing shutdowns are not adequate. Unite general secretary Sharon Graham said, “Ministers need to act fast and introduce a furlough scheme to ensure that vital jobs and skills are not lost while JLR and its supply chain get back on their feet.”

The timeline to doom

JLR had first issued a notice about the company being impacted by a cyber incident, as dealers could not register new cars on September 1, which also coincides with one of the dates with the year’s highest registration. In the notice, issued on September 2, the company had then said that there was no evidence that any customer data had been stolen, but retail and production activities had been ‘severely disrupted’.

JLR again announced on September 6 that the company was working with third‑party cybersecurity specialists and alongside law enforcement to restart global applications. On September 10, the company revealed that some data had been affected, and they would contact anyone as appropriate if they found that their data had been impacted.

On September 16, today, the company updated that they have extended the current pause in production until Wednesday, 24th September 2025. British newspaper The Telegraph reported on Monday that the production shutdown could last until November, although JLR denied the news.

Who was responsible for the cyberattack?

As per several British media outlets, a group with names as Scattered Spider, Lapsus$, and ShinyHunters, collectively called “Scattered LAPSUS$ Hunters”, claimed responsibility for the cyber‑attack on JLR. This same group, with teens as the primary hacker population, has been linked to previous attacks on several different British retailers, such as Marks and Spencer, which apparently cost the retail company £300 million in online sales. Scattered Spider was also responsible for Co-op and Harrods facing a wave of cyberattacks through social engineering and impersonating IT help desk staff.

As per an article by FalconFeeds.io, a cloud-native SaaS platform that specialises in cyberthreat intelligence, the cybercrime group had a Telegram channel where it broadcasted leaks, extortion threats, and hacker boasts. They would use meme-style threats and polls as interactive elements to engage with the audience.

ShinyHunters targeted Google, Cisco and Salesforce using voice phishing. The hacking group deployed DragonForce ransomware to encrypt the victim’s network.

On September 12, Scattered LAPSUS$ Hunters said that they are shutting down their operations. "Our objectives having been fulfilled, it is now time to say goodbye," in a Telegram post and on breachforums, a platform for hackers.

While the cybercrime group might have “gone dark” for now, Tata Motors’ prized subsidiary—Jaguar Land Rover, is crippled by this cyberattack by teens, causing distress to the entire supply chain and inflicting losses that could amount to millions.