Jaguar Land Rover Cyber Attack: A Measured Response for Associated Organisations

On 2^nd September 2025 JLR released a press statement which reads as follows:

“JLR has been impacted by a cyber incident. We took immediate action to mitigate its impact by proactively shutting down our systems. We are now working at pace to restart our global applications in a controlled manner. At this stage there is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted.” https://media.jaguarlandrover.com/news/2025/09/statement-cyber-incident

Other media reports indicate that production has been halted, new vehicle registrations cannot be processed by their dealer network, and that staff have been sent home as a result of the cyber incident. https://bmmagazine.co.uk/news/jlr-cyber-attack-production-halts/

Key observations

1. Notably JLR have indicated they are already in the recovery phase and are attempting to restart their global operations. This indicates that there may have been an ‘impact’ phase of the attack, ordinarily encryption/destruction of systems, as would be typical in a ‘ransomware’ style of attack.
2. No clear indication of when the attack took place, or when initial access was obtained, or the method by which the attack was made possible has been provided.
3. Although JLR say there is no evidence of customer data having been stolen, as ordinarily occurs in a cyber-attack of this nature, data may have been taken prior to the impact phase, as most cyber criminal groups that carry out ransomware attacks use ‘double extortion’ tactics.

Implied Risks to associated organisations

1. An “at pace” recovery effort will introduce additional risks to the recovery, and by extension organisations within the JLR supply chain, dealer network and customer base.
2. There is a risk that data exfiltration has occurred but has not yet been discovered by the forensic team investigating the incident, and this may contain data which directly or indirectly impacts those organisations.
3. It is unclear how much support JLR will offer to affected organisations, to determine if any consequential risk has been created which affects them, for example has the network infrastructure, systems or processes operated by these organisations been compromised as a result, or perhaps as a component of, the cyber incident.

Recommendations for associated organisations

1. Review data flows and their methods between JLR.
2. Review trusted communication methods that exist between JLR and associated organizations. For example VPN tunnels, e-mail, shared portals and document sharing systems.
3. Identify if any personal or financial data may have been accessed, theoretically or otherwise, by JLR, if stored on the associated organisations systems.
4. Identify and personal or financial data that may have been shared with JLR, as the data processor, but for which the associated organisation is the data controller.
5. Immediately isolate any systems within the control of the associated organisation, that JLR have access to. These should all be considered compromised until proven otherwise.
6. Review access logs of any systems that JLR had access to, to determine if any unauthorised access or activity has taken place.
7. Take proactive steps to control the risk of consequential activity resulting from the cyber incident, for example:
   1. Fraudulent e-mails and phone calls claiming to be from JLR.
   2. Fraudsters claiming to have been affected by the JLR cyber incident and requesting sensitive or personal information.
   3. Outstanding invoices due to JLR should be verified with additional scrutiny, to ensure they have not been tampered with prior to the cyber incident.