Jaguar Land Rover shuts down systems following cyberattack

Jaguar Land Rover (JLR) on Sept. 2 reported that it was forced to shut down its systems following a cyberattack.

In a statement Tuesday, the company said it was working behind the scenes to gradually restart its global applications.

“At this stage, there is no evidence any customer data has been stolen, but our retail and production activities have been severely disrupted,” the JLR statement said.

JLR sold 99,277 vehicles in the United States in 2024, with sales declining in the first quarter of 2025. The British company markets a luxury auto brand portfolio that includes Range Rover, Defender, Discovery, and Jaguar.

While there was no mention of ransomware or double extortion, industry experts said it's possible the attack on a manufacturer represented an expansion of Scattered Spider's recent attacks on retailers in the UK and worldwide.

Lawrence Pingree, technical evangelist at Dispersive, said so far there’s no disclosure that claims the attack is related to the recent Scattered Spider attacks, but an earlier CrowdStrike report said that Scattered Spider had pivoted to retail, along with other verticals, so it's entirely possible.

“Typically disruptions these days are caused by ransomware, but it’s hard to assume since of course other types of attacks, such as a DDoS, or a major breach, can cause defenders to take down systems in their response efforts,” said Pingree.

Amir Khayat, co-founder and CEO at Vorlon, theorized that JLR’s strong reliance on cloud technologies makes it an ideal prize for groups such as ShinyHunters, bad actors that break into sprawling SaaS ecosystems and sell “CRM Gold” on the dark web.

Khayat added that like many large enterprises, JLR isn’t just running a few Salesforce licenses: it has built an entire digital nervous system on Sales Cloud, Service Cloud, Marketing Cloud, MuleSoft, Tableau, and early Automotive Cloud pilots.

“Whether JLR’s attacker is indeed ShinyHunters, or another group, the lesson is urgent: every auto OEM should treat its Salesforce connectors and SaaS links as crown‑jewel assets, monitoring them with the same intensity as an assembly line,” said Khayat. “Until that happens, we should expect more headlines like this one."

Piyush Pandey, chief executive offier at Pathlock, said with widespread cyberattacks targeting retailers in recent months — and now expanding to manufacturers with the JLR incident — security teams across both sectors should strengthen controls to reduce exposure.

“Ensuring the principle of least privilege is implemented on a continuous basis is a fundamental step in addressing this risk,” said Pandey. “That includes automating access reviews to revoke excessive permissions, promptly locking down emergency access, and continuously monitoring critical applications to detect and terminate unauthorized activity quickly.”