On January 5, 2026, British carmaker Jaguar Land Rover released its preliminary figures for the third quarter of fiscal 2026. These results confirm the scale of the shock caused by the cyberattack in September 2025: wholesale sales volumes plunged by 43.3%, while retail sales fell by 25.1%. An industrial and economic catastrophe whose repercussions are still being felt several months after the attack.
From suspicious activity to total shutdown
It all began on August 31, 2025. Managers at the Halewood plant in the UK noticed abnormal behavior on certain IT systems. The next day, Jaguar Land Rover (JLR) IT teams detect an intrusion into their network. The compromise was serious enough for the automaker to take the radical step of massively shutting down its IT systems to contain the spread.
On September 2, the group issued its first official statement: “JLR has been impacted by a cyber incident. We have taken immediate steps to mitigate its impact by proactively shutting down our systems. At this stage, there is no evidence that any customer data has been stolen, but our retail and production activities have been severely disrupted.”
The immediate effect of this protective measure is acomplete halt to production at all the automaker’s plants, whether in the UK, Slovakia, China or India. Under normal circumstances, Jaguar Land Rover produces over 1,000 vehicles a day. All lines are now at a standstill.
When a week’s shutdown turns into six weeks
In the early days, there was still hope of a rapid recovery. The automaker says it is working “at a steady pace to restart our global applications in a controlled manner”. But the reality proved far more complex.
On September 10, eight days after the attack was discovered, Jaguar Land Rover confirmed that the attackers had also stolen data: “Following our ongoing investigation, we now believe that some data has been affected and are informing the relevant authorities.” The company states that its forensic investigation is continuing, and that it will contact those concerned if necessary.
On September 16, a new announcement: production will not resume until at least September 24. “We have taken this decision while our forensic investigation into the cyber incident continues, and while we study the various stages of the controlled restart of our global operations, which will take time,” explains the group. At this stage, three and a half weeks of production have already been lost. Industry sources point to a possible disruption until November.
Faced with the scale of the crisis and its impact on the British supply chain, the British government intervened on September 28, approving a £1.5 billion loan guarantee to help the manufacturer restore its supply chain and restart production.
Production finally restarts on October 8, 2025, following a gradual, controlled approach. But it will be mid-November before the company returns to normal production levels. In the meantime, the distribution of vehicles already produced before the attack was also slowed down considerably. The result: more than six weeks of lost production.
Scattered Lapsus$ Hunters: the claim to fame
Shortly after the attack, a group of cybercriminals identifying themselves as “Scattered Lapsus$ Hunters“ claimed responsibility for the incident on Telegram. This collective claims to be a collaboration of criminals associated with Lapsus$, Scattered Spider and ShinyHunters, three English-speaking groups known for their social engineering and extortion tactics. The attackers publish screenshots of an internal Jaguar Land Rover SAP system and claim to have also deployed ransomware on the compromised systems. This same group is also responsible for a massive wave of attacks against Salesforce instances, having compromised data from many leading companies, including Google, Cloudflare, Palo Alto Networks and many others
Neither Jaguar Land Rover nor its parent company Tata Motors have officially confirmed the attribution of the attack to this group. No details have been provided on the exact nature of the malware used.
The UK already hard hit by ransomware attacks in 2025
The attack on JLR comes against a difficult backdrop for the UK economy in 2025. The country has already seen several major cyberattacks this year, including against Marks & Spencer (loss of around £300 million after a two-month shutdown of its online services in April) and Co-op, also claimed by Dragonforce.
196 million for Jaguar Land Rover, 1.9 billion for the UK
In its financial results published in November 2025, the automaker reveals that the attack cost £196 million in the second quarter of its fiscal year. The company posts a pre-tax loss of £485 million for the July-September 2025 quarter, compared with a profit of £398 million for the same period the previous year.
“This decrease in profitability is largely due to the cyber incident, the ongoing impact of US tariffs, the aforementioned reduction in volumes and increased variable marketing expenses,” the group statement said.
Figures for the third fiscal quarter of 2026, unveiled on January 5, 2026, confirm the seriousness of the situation. Wholesale sales fell to 59,200 vehicles, down 43.3% year-on-year. Retail sales fell to 79,600 units, down 25.1%. All regions were affected: North America fell by 64.4%, Europe by 47.6% and China by 46%. Only the UK limited the decline to 0.9%.
“Due to this incident and the time required to distribute vehicles worldwide once produced, wholesale and retail volumes have decreased on a quarterly and annual basis,” explains Jaguar Land Rover. The group points out that production only returned to normal levels in mid-November, and that it then took additional time to get the vehicles to world markets.
But the impact goes far beyond the manufacturer’s perimeter. The Cyber Monitoring Centre (CMC), a UK cyber-threat watchdog, estimates that the incident caused a financial impact of £1.9 billion to the UK economy and affected over 5,000 businesses in the UK. The incident is classified as Category 3, corresponding to a financial loss of between £1 and £5 billion to the UK operations of the affected organizations. It is the most costly cyber attack in UK history.
The Bank of England also cited the Jaguar Land Rover cyber attack as one of the key factors contributing to lower-than-expected UK GDP growth in the third quarter of 2025. In its November 2025 Monetary Policy Report, the institution states that the production stoppage at JLR directly contributed to a 0.17 percentage point contraction in GDP in September, helping to tip the economy into contraction.
When 5,000 companies pay the price of an attack
The sudden halt to production at Jaguar Land Rover sent shockwaves through the British automotive supply chain. The manufacturer, which employs over 39,000 people and generates annual sales of more than $38 billion, normally produces more than 400,000 vehicles a year.
According to the Cyber Monitoring Centre, over 5,000 UK organizations have been impacted by the shutdown. These include first-, second- and third-tier automotive parts suppliers, logistics companies, service providers and dealerships. Many of these companies are financially fragile SMEs, which do not have the resources to withstand a prolonged shutdown.
Jason Richards, regional manager for the West Midlands at the trade union Unite, told the BBC: “We’re already seeing employers having discussions about possible redundancies. People have to pay their rent, they have to pay their mortgage, and if they’re not getting any wages, what are they supposed to do? We have to have a supply chain for Jaguar Land Rover. I can’t stress that enough, because if JLR opens the floodgates expecting the supply chain to be there waiting, it won’t be there.”
The Unite union has called for a government-funded short-time working scheme to help pay the wages of those in the sector unable to work because of the shutdown.
Evtec Group: a hard-hit supplier
The impact on suppliers is not theoretical. Evtec Group, a major equipment manufacturer based in Coventry, had to place 900 employees on short-time working at 80% pay for the duration of the shutdown. The company has estimated its losses at £13 million. According to company chairman David Roberts, without the government’s emergency measures, many suppliers would have gone out of business. However, he was keen to point out the real situation: “We must not forget who is to blame here. This is all the fault of criminals. JLR is the victim here. We should remember who started this, and it wasn’t JLR.”
According to the Cyber Monitoring Centre, full recovery will not be achieved until January 2026, more than four months after the gradual resumption of production. Some suppliers have warned that they could face up to six months of cash flow difficulties as a result of the attack.
December 2025: employee data theft confirmed
Almost four months after the attack, Jaguar Land Rover notifies current and former employees that their personal data has been compromised. In an email sent to staff in December 2025, the automaker explains that the affected data includes “information held in connection with employment and certain information required to administer payroll, benefits and personnel programs for employees and dependents”.
Stolen data includes bank details, tax codes, National Insurance numbers, salary information, addresses and other sensitive information. The company states that there is no evidence that this data has been used maliciously, but calls on its employees to be vigilant against phishing attempts that could exploit this information.
The Group is setting up a hotline and offering credit and identity monitoring services for those affected. The incident concerns the automaker’s 38,000 current and former employees, as well as subcontractors.
Beyond the cyber attack: multiple challenges
While the impact of the cyber attack is undeniable, Jaguar Land Rover is also facing other challenges that have amplified the fall in sales in the third quarter. The automaker said that “the phasing out of production of older Jaguar models ahead of the launch of the new Jaguar” contributed to the drop in volumes. The Group is pursuing its strategy of transforming the Jaguar brand towards a 100% electric range planned for 2026.
US tariffs affecting exports to the United States also weighed on volumes. North America recorded the sharpest drop in wholesale sales, down 64.4%.
Lessons from the crisis
The attack on Jaguar Land Rover illustrates several realities of industrial cybersecurity. The interdependence of modern supply chains creates systemic vulnerabilities: a single incident at a major manufacturer can paralyze thousands of companies. The real cost of a cyber attack goes far beyond the direct losses of the targeted company, with measurable macro-economic repercussions.
The case also demonstrates that a controlled restart of operations after a major incident can take several weeks, even months. Even after production resumed in early October, it took until mid-November to return to a normal rhythm, and even longer to replenish stocks and deliver to customers. The late notification of the theft of employee data, four months after the attack, also raises questions about forensic investigation times and communication with those affected.
Essential protection measures
In the face of these risks, companies need to ensure that certain fundamentals are in place: network segmentation to limit propagation, multi-factor authentication on all critical accesses, continuous monitoring with 24/7 response capability, and a robust backup strategy including isolated and regularly tested copies. Simulation exercises help to ensure that business continuity plans really work in a crisis situation.
Reacting after an attack
The Jaguar Land Rover case is a reminder that no company is immune from a cyber attack with major consequences. If your business suffers a ransomware attack, our team of data recovery experts can intervene quickly to assess the situation, identify technical recovery options and limit the impact on your business.
Contact us now for emergency intervention.
Sources :
- BleepingComputer: Jaguar Land Rover wholesale volumes down 43% after cyberattack
- BleepingComputer: UK govt backs JLR with £1.5 billion loan guarantee after cyberattack
- BBC News: JLR could face disruption until November after hack
- BBC News: JLR supplier reopens factory after cyber-attack
- BBC News: JLR hack is costliest cyber attack in UK history, say analysts
- The Register : JLR: Payroll data stolen in cybercrime that shook UK economy
- The Register : Bank of England says JLR’s cyberattack contributed to UK’s unexpectedly slower GDP growth
- Reuters: Jaguar Land Rover hack cost UK economy an estimated $2.5 billion, report says
- Cyber Monitoring Centre: Cyber Monitoring Centre Statement on the Jaguar Land Rover Cyber Incident – October 2025
