Chris Vallance and Theo Leggett of the BBC report:
A cyber-attack has “severely disrupted” Jaguar Land Rover (JLR) vehicle production, including at its two main UK plants.
The company, which is owned by India’s Tata Motors, said it took immediate action to lessen the impact of the hack and is working quickly to restart operations.
JLR’s retail business has also been badly hit at a traditionally a popular time for consumers to take delivery of a new vehicle – but there is no evidence any customer data had been stolen, it said.
The attack began on Sunday as the latest batch of new registration plates became available on Monday, 1 September.
… In 2023, as part of an effort to “accelerate digital transformation across its business”, JLR signed a five-year, £800m deal with corporate stablemate Tata Consultancy Services to provide cybersecurity and a range of other IT services.
Read more at The BBC.
JLR’s complete statement currently on its website reads:
JLR has been impacted by a cyber incident. We took immediate action to mitigate its impact by proactively shutting down our systems. We are now working at pace to restart our global applications in a controlled manner. At this stage there is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted.
The Telegraph is reporting that the group responsible for the Marks & Spencer hack is claiming responsibility for this attack but that they cannot confirm the claims. In the Marks & Spencer incident, which was widely attributed to Scattered Spider, the attackers were believed to have socially engineered a Tata Consultancy employee, whose account was then used to send an email to M&S that deployed DragonForce ransomware. That scenario was never confirmed (or refuted) by M&S or Tata Consultancy Services.
This is not the first time this year Jaguar Land Rover has been the target of a cyberattack. In March 2025, Hudson Rock reported that JLR had been victimized twice. The first time was by Hellcat who exploited JIRA credentials harvested by using an LG Electronics’ employee’s credentials that had been compromised by an infostealer. Data was leaked on BreachForums by Hellcat member “Rey.” Days later, another threat actor calling themself “APTS” announced that they, too, had hacked JLR, and had exploited infostealer credentials of an LG Electronics employee going back to 2021. Their leak involved even more data than Hellcat’s leak.
“Rey” has recently been active in the Telegram channel for Scattered Spider, Lapsus$, and ShinyHunters and has posted evidence of a shell showing internal hostnames. DataBreaches has not attempted to verify the data with JLR at this point. A spokesperson also reportedly told The Telegraph that they had exploited a widely-known flaw in a third-party software known as SAP Netweaver.
As Security Week reported, someone linked to Scattered Spider released what was allegedly a 0-day exploit targeting SAP NetWeaver on Telegram.
After analyzing the exploit, enterprise application security firm Onapsis concluded that it was actually built to chain the known flaws CVE-2025-31324 and CVE-2025-42999 for the execution of arbitrary system commands with administrator privileges.
“In essence, the attackers first use the missing authentication vulnerability (CVE-2025-31324) to access the critical functionality without authentication and get their malicious payload to the server. Then, they exploit the de-serialization flaw (CVE-2025-42999) to deserialize the malicious payload and execute that code with the privileges of the SAP system,” Onapsis explains.
The release of the exploit by a member of Scattered Spider and the JLR incident involving exploitation provide some support for Scattered Spider’s claim of responsibility for the attack, as does the shell posted by Rey. In response to The Telegraph‘s reporting, a member of the group posted a message saying, “3 times in a row…. will there be a fourth time?”