Updated September 4, 08:46 BST with Scattered Lapsus$ Hunters claim.

Jaguar Land Rover (JLR) is scrambling to restart global applications after a cybersecurity incident that it said had “severely disrupted” its plants.

The Tata Motors-owned company said Tuesday that it took “immediate action to mitigate its impact by proactively shutting down our systems.”

The firm’s statement suggests that disruption may have been caused in large part by aggressive efforts to isolate and shut down systems to avoid ransomware spreading. It did not specify the specific type of incident.

According to some reports, the group behind recent attacks on retailers M&S and Co-op have claimed responsibility for the JLR breach, sharing screenshots in a Telegram group they allege were taken inside JLR's IT operations.

The group, calling themselves Scattered Lapsus$ Hunters, reportedly outlined the attack path to the BBC and are seemingly trying to extort the manufacturer for money, but did not provide evidence on whether they had stolen private data.

JLR are believed to be investigating the claims but are yet to publicly comment.

Security researcher Kevin Beaumont noted of parent company Tata that it "appears to be online still but looks like a mess on Shodan, e.g. lots of SAP Netweaver boxes dangling directly off the internet..."

SAP NetWeaver users notably came under widespread attack in April this year, with threat actors gaining full RCE by exploiting a maximum criticality CVSS 10 vulnerability that was allocated CVE-2025-31324.

Analysts at security firm Nextron said as of April 28 that over 1,100 compromised SAP systems had malicious webshells uploaded. These "predominantly belong to large enterprises and critical infrastructure operators" the company added. Further attacks also followed. The Stack cannot, of course, confirm any relationship between these incidents and the JLR breach.

SAP NetWeaver Flaw Lets Threat Actors Take Full Control: CVE-2025-31324 and CVE-2025-42999 Explained
Stay informed about CVE-2025-31324, a critical zero-day SAP vulnerability. Get updates, active campaign details, and remediation recommendations here.
OnapsisJP Perez-Etchegoyen

JLR added: “We are now working at pace to restart our global applications in a controlled manner” – a comment that suggests either confidence that it has the incident contained, or robust backups and a well rehearsed playbook to restore systems.

The attack comes at a busy time for the automotive industry in the UK as new number plates are released, often prompting an increase in sales.

It first came to light after employees at JLR factories in the UK were told not to come into work early Monday morning after the "IT incident" was detected overnight on Sunday. Retail operations have also been affected.

HELLCAT

In a potentially unrelated, incident the HELLCAT ransomware group claimed in March that it breached JLR, saying that it had stolen over 700 internal documents.

On a cybercrime forum, HELLCAT hacker “Rey” shared a compromised employee dataset containing sensitive information, days before a second attacker, known as “APTS”, leaked a further 350GB of stolen data.

Both claimed to have stolen the data using third-party credentials for JLR’s Jira server collected by infostealer malware. JLR never publicly commented on that alleged breach and had not responded to a new request for comment by The Stack.

See also: River Island’s security boss on “doing more with less” in perilous times

JLR’s 2025 annual report said security was “crucial” to its digital transformation and touted internal and external valuations showing “a positive trajectory in our security discipline.”

The car maker also highlighted its use of cybersecurity workshops, phishing tests, and a “cyber champion network” to train employees on security and its Information Security Compliance Framework.

As James Neilson, SVP International at cybersecurity company OPSWAT, noted however: “With the merging of IT and OT zones, automotive companies are more vulnerable to cyberattacks.” (There has been indication that the incident hit operational technology networks.)

Incident response professionals regularly tell The Stack that even organisations with mature security postures frequently find significant gaps in their playbooks when responding to incidents, whether that is restory systems when you have lost your Active Directory, finding that backups were not well segmented and have also been attacked, and/or that nobody knows how to restore from the offline cold backups. 

Hugops to the JLR team.



The link has been copied!