Jaguar Land Rover

News

Jaguar Land Rover extends production shutdown for another week

Jaguar Land Rover says that vehicle production will remain suspended in the wake of a cyber attack, while the hackers allegedly responsible claim they are retiring from a life of crime.

Alex Scroxton
By
Published: 16 Sep 2025 17:55

Jaguar Land Rover (JLR) has extended a pause in vehicle production for at least another week following a cyber attack by the Scattered Lapsus$ Hunters hacking collective comprising members of the Scattered Spider, ShinyHunters, and Lapsus$ gangs.

The incident, which began at the end of August before becoming public on 2 September, forced the suspension of work at JLR’s Merseyside plant and has also affected its retail services.

It has since emerged that data of an undisclosed nature has been compromised by the cyber gang – which has been boasting of its exploits on Telegram but has also now claimed to have retired – and notified the relevant regulators. Its forensic investigation continues.

A JLR spokesperson said: “Today we have informed colleagues, suppliers and partners that we have extended the current pause in our production until Wednesday 24 September 2025. 

“We have taken this decision as our forensic investigation of the cyber incident continues, and as we consider the different stages of the controlled restart of our global operations, which will take time. 

“We are very sorry for the continued disruption this incident is causing and we will continue to update as the investigation progresses,” they said.

James McQuiggan, CISO advisor at KnowBe4, said the continuing disruption at JLR demonstrated how entwined cyber security and wider business resilience have now become.

"When core systems are taken offline, the impact cascades through employees, suppliers and customers, showing that business continuity and cyber defence should be indivisible,” he said. “Beyond immediate disruption, data theft during such incidents increases the long-term risks, from reputational damage to regulatory consequences.”

“To mitigate these risks, organisations should regularly test and update their business continuity and incident response plans, strengthen supply chain risk assessments, and adopt zero-trust principles to limit attacker movement.”

McQuiggan added: “Just as important is addressing human risk, as social engineering remains the leading entry point for attackers. Ongoing security awareness, phishing simulations, and behavior analysis of users in a human risk management program help users recognise and resist malicious tactics. By combining strong technical controls with a culture of cyber resilience, organisations can reduce their exposure and recover with greater confidence.”

Golden parachutes

Meanwhile, the supposed Scattered Lapsus$ Hunters shutdown – announced via BreachForums and Telegram across a number of frequently crude postings – saw  ‘farewell’ messages that included a number of apologies to the families of some gang members scooped up in law enforcement actions, to JLR, and to Google and CrowdStrike.

In the messages, reviewed by CyberNews, one of the supposed gang members even addressed the CIA, saying they were “so very sorry” they leaked classified documents and “had no idea what they were doing”.

“Please forgive me and f*** Iran. I will be going to the rehab center for 60 days,” they added.

The gang’s alleged climbdown has drawn a sceptical eye from cyber community members who, based on years of experience, know that cyber criminals rarely if ever pack up shop and go straight.

Cian Heasley, principal consultant at Acumen Cyber, said that the gang’s talk of activating “contingency plans” and a call for fans not to worry about them as they would be enjoying their “golden parachutes with the millions the group accumulated [sic]”, seemed far-fetched.

“This is a transparent move that suggests its members are buying some breathing time, panicking about the threat of prison, and arguing behind the scenes about how much trouble they are actually in and the need to be cautious,” said Heasley.

“Given the volatile and explosive nature of the group, it’s hard to imagine they carried out this level of due diligence.

“The lure of the money and excitement that comes with cyber crime will inevitably draw them back in eventually,” added Heasley.

Indeed, even amid its farewell messages, Scattered Lapsus$ Hunters hinted at future developments and taunted the likes of the FBI and Mandiant, and various victims including luxury goods house Kering and Air France.

It also named British Airlines, an organisation that does not exist but which may be a reference to British Airways (BA).

BA is not known to have been attacked at the time of writing, suggesting that more victims of the recent hacking spree may yet come to light.

Timeline: Scattered Spider and ShinyHunters

  • 22 April 2025: A cyber attack at M&S has caused significant disruption to customers, leaving them unable to make contactless payments or use click-and-collect services.
  • 24 April: M&S is still unable to provide contactless payment or click-and-collect services amid a cyber attack that it says has forced it to move a number of processes offline to safeguard its customers, staff and business.
  • 25 April: M&S shuts down online sales as it works to contain and mitigate a severe cyber attack on its systems.
  • 29 April: An infamous hacking collective may have been behind the ongoing cyber attack on M&S that has crippled systems at the retailer and left its ecommerce operation in disarray.
  • 30 April: A developing cyber incident at Co-op has forced the retailer to pull the plug on some of its IT systems as it works to contain the attack.
  • 1 May: Co-op tells staff to stop using their VPNs and be wary that their communications channels may be being monitored, as a cyber attack on the organisation continues to develop.
  • 1 May: Harrods confirms it is the latest UK retailer to experience a cyber attack, shutting off a number of systems in an attempt to lessen the impact.
  • 2 May: The National Cyber Security Centre confirms it is providing assistance to M&S, Co-op and Harrods as concerns grow among UK retailers.
  • 7 May: No end is yet in sight for UK retailers subjected to apparent ransomware attacks.
  • 13 May: M&S is instructing all of its customers to change their account passwords after a significant amount of data was stolen in a DragonForce ransomware attack.
  • 14 May: Google’s threat intel analysts are aware of a number of in-progress cyber attacks against US retailers linked to the same gang that supposedly attacked M&S and Co-op in the UK.
  • 20 May: Cold chain services provider Peter Green Chilled, which supplies the likes of Aldi, Sainsbury’s and Tesco, has been forced to halt operations after succumbing to a ransomware attack.
  • 4 June: A threat group is using voice phishing to trick targeted organisations into sharing sensitive credentials, according to Google. (Cybersecurity Dive)
  • 11 June: So-called Black Swan events expose the blind spots in even the most sophisticated forecasting models, signaling a need to rethink how businesses, and those investing in them, quantify and prepare for cyber risk.
  • 13 June: The recent spate of cyber attacks on UK retailers has to be a wake-up call to build more cyber resilience into digital supply chains and fortify against social engineering attacks.
  • 17 June: Following a series of high-profile attacks on prominent retailers and consumer brands, a group of criminal hackers appears to be expanding their targeting to the insurance sector.
  • 20 June: The UK’s Cyber Monitoring Centre has published its first in-depth assessment of a major incident, reflecting on the impact of and lessons learned from cyber attacks on M&S and Co-op.
  • 26 June: US authorities have unsealed charges against 25-year-old hacker Kai West, aka IntelBroker, accusing him of being behind multiple cyber attacks.
  • 27 June: Multiple reports are emerging of cyber attacks on airlines – Google Cloud’s Mandiant believes them to be linked.
  • 2 July: Australian flag carrier Qantas is investigating significant data theft of personal information for up to 6 million customers after a third-party platform used by its call centre was compromised.
  • 2 July: A developing cyber attack at Australian airline Qantas that started at a third-party call centre is already being tentatively attributed to the same gang that hit UK retailers. Find out more and learn about the next steps for those affected.
  • 8 July: The government should extend ransomware reporting mandates to businesses to help gather more intelligence and better support victims, says M&S chairman Archie Norman.
  • 9 July: Australian flag carrier begins notifying millions of individuals after a cyber attack on a call centre, confirming that while financial and passport details are safe, a significant volume of other personal information was compromised.
  • 10 July: Police have made four arrests in connection with a trio of cyber attacks on UK retailers Marks & Spencer, Co-op and Harrods.
  • 14 July: French luxury goods retailer LVMH has disclosed multiple cyber attacks in 2025 so far, and their impact is now spreading to the UK as a new incident affecting Louis Vuitton comes to light.
  • 16 July: Microsoft warns users over notable evolutions in Scattered Spider's attack playbook, and beefs up some of the defensive capabilities it offers to customers in response.
  • 16 July: Co-op chief executive Shirine Khoury-Haq has revealed that all the personal data of all 6.5 million of its members was compromised in the April 2025 cyber attack on its systems.
  • 24 July: Cleaning products manufacturer Clorox fell victim to a Scattered Spider social engineering attack two years ago – it blames its IT helpdesk provider, Cognizant.
  • 30 July: CISA, the FBI, NCSC and others have clubbed together to update previous guidance on Scattered Spider's playbook, warning of new social engineering tactics and exploitation of legitimate tools, among other things.
  • 7 August: Air France - KLM alerts authorities of a data breach in which threat actors were able to get away with names, email addresses, phone numbers, and more. (Dark Reading)
  • 7 August: ShinyHunters is back, with low-tech hacks that nonetheless manage to bring down international megaliths like Google, Cisco, and Adidas. (Dark Reading)
  • 11 August: Computer Weekly gets under the skin of an ongoing wave of ShinyHunters cyber attacks orchestrated via social engineering against Salesforce users.
  • 12 August: ReliaQuest researchers present new evidence that firms up a potential link, or outright partnership, between the ShinyHunters and Scattered Spider cyber gangs.
  • 18 August: A campaign of voice-based social engineering attacks targeting users of Salesforce’s services appears to have struck HR platform Workday.
  • 19 August: Millions of people are supposedly affected by a breach at Allianz Insurance arising via attacks on Salesforce (Dark Reading).
  • 2 September: Jaguar Land Rover reports a cyber attack has ‘severely disrupted’ its vehicle production and retail operations, recalling similar attacks on other prominent British brands this year.
  • 5 September: The recent cyber attack on Jaguar Land Rover is keeping workers out of plants as possible attack group identity becomes public.
  • 9 September: Qantas executives are to take a pay cut in the wake of the recent cyber attack on the airline's systems (Dark Reading).
  • 10 September: Carmaker Jaguar Land Rover revealed that data was stolen in the cyber attack that began on 31 August, as its production line continues to be affected.
  • 12 September: M&S chief digital and technology officer Rachel Higham steps back from her role in the wake of the April 2025 cyber attack on the retailer’s systems.
  • 15 September: Kering, the parent group of fashion houses including Balenciaga and Gucci, becomes the latest organisation to allegedly fall victim to ShinyHunters.

Read more on Data breach incident management and recovery