Jaguar Land Rover (JLR) confirmed today that attackers also stole “some data” during a recent cyberattack that forced it to shut down systems and instruct staff not to report to work.
JRL functions as a standalone entity under Tata Motors India after its purchase from Ford in 2008. With an annual revenue of over $38 billion (£29 billion), JLR employs approximately 39,000 people and makes more than 400,000 vehicles each year.
The automobile manufacturer disclosed the attack on September 2, stating that its “production activities have been severely disrupted.” JLR has been working to restart its operations and investigating the incident since then with the help of the U.K. National Cyber Security Centre (NCSC).
In today’s statement, the company also announced that it has notified the relevant authorities about the data breach.
“Since we became aware of the cyber incident, we have been working around the clock, alongside third‑party cybersecurity specialists, to restart our global applications in a controlled and safe manner,” JLR said.
“As a result of our ongoing investigation, we now believe that some data has been affected and we are informing the relevant regulators. Our forensic investigation continues at pace and we will contact anyone as appropriate if we find that their data has been impacted.”
JLR didn’t reply to a request for comment when BleepingComputer reached out to ask for more information about the incident and its potential impact on customers.
While JLR has confirmed that the threat actors have stolen information from its compromised systems, the company has yet to attribute the attack to a specific cybercrime group, and no known ransomware gangs have taken responsibility for the attack.
However, a loosely knit group of cybercriminals calling themselves “Scattered Lapsus$ Hunters” has claimed responsibility for the breach on Telegram, sharing screenshots of an internal JLR SAP system and saying that they’ve also deployed ransomware on the company’s compromised systems.
This group claims to consist of cybercriminals associated with the Lapsus$, Scattered Spider, and ShinyHunters extortion groups. This same group is also behind widespread Salesforce data theft attacks that used social engineering and stolen Salesloft Drift OAuth tokens to steal data from numerous companies.
The list of companies whose Salesforce instances were breached in these attacks includes Google, Cloudflare, Elastic, Palo Alto Networks, Zscaler, Tenable, Proofpoint, CyberArk, BeyondTrust, JFrog, Fastly, Qualys, Workday, Cato Networks, HackerOne, BugCrowd, and Rubrik.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
