What UK businesses can learn from the Jaguar Land Rover cyberattack 

Photo Credit: Max Acronym / Shutterstock.com

Executive summary

In late August 2025, Jaguar Land Rover was hit by a major cyberattack that forced it to shut down IT systems and pause manufacturing, creating ripple effects across its suppliers and operations.

The UK government has now stepped in with a £1.5 billion loan guarantee to stabilise the business and its supply chain, while JLR prepares for a phased restart of production.

For UK organisations, the key lessons here are to have a tested incident response plan, to isolate and communicate quickly, tighten identity controls, and practice recovery before a real attack hits. Because it’s usually when, not if.

Introduction 

Another day, another cyberattack on a national UK business.

That’s how 2025 is starting to feel, anyway. Jaguar Land Rover (JLR) has now joined the ranks of M&S, Harrods, and Co-Op in the list of targets for cybercriminals this year.

A household name in the UK, and a business with roots dating back to the 1920s, this one came as something of a shock. But it’s not just the headlines that shocked people – the reality of a cyberattack of this scale is what hits hardest.

In late August, JLR was hit by a cyberattack that forced it to shut down much of its IT infrastructure and pause manufacturing. The ripple effects of this attack were enormous: suppliers struggled, payments stalled, operations were frozen.

But the story didn’t end there.

The government has now (somewhat controversially) intervened with financial backing of £1.5 billion, and JLR has a plan to restart its factories in a controlled way.

The JLR cyberattack: A quick timeline of events

To understand the lessons, it helps to first see how these events unfolded.

Here’s a quick timeline of the key moments:

  1. Late August 2025. Hackers strike, forcing JLR to shut down its IT systems. Manufacturing grinds to a halt and suppliers can’t be paid.
  2. Early September. JLR confirms data was affected and regulators are notified. Production remains paused while investigations continue.
  3. Mid-September. Reports emerge of stolen data being touted on hacker forums. JLR works with the National Cyber Security Centre and law enforcement.
  4. Late September. The government steps in with a £1.5 billion loan guarantee to stabilise JLR and its supply chain. Plans are made for controlled restarts.
  5. Early October. Some manufacturing sites, including engine production, begin phased re-openings as systems are brought back online safely.

Plan, isolate, communicate (and know when to pause) 

For smaller UK businesses, the detail is less important than the rhythm: a sudden shutdown, followed by a long pause, a need for financial support, and finally careful recovery. That’s what crisis management looks like at scale – and it’s what any company should be prepared for in its own way.

One of the most critical moves in JLR’s disaster response here was to pause major systems immediately. In this case, we’re not talking about a staged, gradual shutdown – it was more like a decisive isolation (or ‘pulling the plug’, to put it another way).

This kind of containment can stop attackers spreading deeper into an organisation’s systems, but it requires a plan that’s already been battle-tested.

Such a plan should include:

  • Clear authority to act. One nominated person (or a small group) must have the ability to isolate systems without any delay.
  • Communication routes. The plan should state who alerts staff, leaders, customers, regulators, etc. – and how they’ll go about it.
  • Evidence preservation. Logs, system images, and audit trails must all be captured before wiping or restoring.
  • Fallback restoration paths. This is about knowing which systems are safe to bring back first, what that timing should look like, and how the systems should be validated.

With JLR, this approach helped limit damage while the attack was still happening. Their ability to pause before the breach spread more deeply probably saved them from an even more catastrophic collapse.

How did this happen?

Perhaps the number one question in this whole affair has been, ‘How could this have happened?’

The situation is still developing as of early October 2025, but here’s what we know:

  • he attack hit in late August 2025, immediately forcing IT systems offline and effectively stopping the car maker’s production line.
  • Critical IT systems that were targeted included parts tracking, manufacturing, sales tools, and more.
  • JLR initially reported that no customer data had been stolen, but later admitted that some information had been accessed.
  • A hacking group called “Scattered Lapsus$ Hunters” claimed responsibility, using the attack to apply pressure.
  • Early analysis points to a targeted attack on administrative systems, likely exploiting credentials and software vulnerabilities.
  • Quick action to shut down systems helped contain the attack, but full recovery required careful, phased restarts.

This shows that even well-resourced firms can be brought down if attackers know exactly where to target their attack.  

What lessons can organisations learn here?

It’s surprising when large nationally established businesses fall victim to attacks like this, but it serves as a timely reminder: nobody is too big (or too small) to be a target.

The hackers behind the JLR attack reportedly compromised critical devices, data access and admin privileges. Once that happens, lateral movement becomes easy. That’s why identity must be treated as the first line of defence.

In terms of your own strategy, here’s what we’d recommend you focus on:

  • Phishing-resistant Multi-Factor Authentication. A user’s password + SMS or an app isn’t enough anymore. Use hardware passkeys or more advanced MFA solutions.
  • Use “least privilege” policies. Give people only the access they actually need, and then remove it when it’s no longer required.
  • Third-party/app access reviews. Many attacks begin through connected apps or OAuth connections that were forgotten. Audit them regularly.
  • Logging and detection. Use tools that flag suspicious credential use, insider risk behaviour or anomalous sign-ins.

Always expect the unexpected 

Half of the battle with cybersecurity is understanding that cyberattacks are pretty much inevitable.

That being the case, prevention is always better than cure. So, if you’d like to map out a response plan for your own business, just ask your Get Support Customer Success Manager or call us on 01865 594 000.

We’d be happy to help tighten your defences and keep your business out of the headlines.