London, UK - Sep 10, 2025 (UTC) - Jaguar Land Rover confirmed on Wednesday that data was stolen during a cyberattack that has brought the British automaker’s vehicle assembly lines to a complete standstill and severely disrupted operations across its global network.
In a statement on Wednesday, the U.K.-based maker of Land Rover and Range Rover vehicles said it was aware that “some data” was taken in the incident. This marks an escalation from the company’s initial September 2 disclosure, when JLR stated there was “no evidence any customer data has been stolen.”
The cyberattack, which began on August 31, has forced the company to shut down its systems, severely disrupting production lines and sales operations. The incident is also affecting the company’s supply chains, including vehicle repairs. According to reports, JLR workers have been told to stay away from work, with production halted for over a week.
“JLR has been impacted by a cyber incident. We took immediate action to mitigate its impact by proactively shutting down our systems,” the company stated. “We are now working at pace to restart our global applications in a controlled manner. At this stage there is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted.”
However, cybersecurity researchers have reported far more extensive data theft than initially acknowledged. Hudson Rock CTO Alon Gal reported that ransomware groups have claimed responsibility for “leaking gigabytes of sensitive information including proprietary documents, source codes, and employee and partner data.” According to the report, attackers exploited Atlassian JIRA credentials that had been stolen from employees using infostealer malware over several years.
The breach allegedly involves 350GB of data stolen by threat actors, including vehicle tracking data, development logs, source code, and employee details. Two separate hacker groups, “Rey” from the Hellcat ransomware group and “APTS,” have claimed responsibility for different aspects of the attack. The Hellcat group first emerged in 2024 and has previously targeted telecoms companies, universities and energy companies.
Security experts suggest the attackers followed an established playbook seen in previous attacks on major corporations. “Infostealer malware—such as Lumma, which was implicated in the Schneider Electric breach—silently infects employees’ devices, often through phishing emails, malicious downloads, or compromised websites,” Gal explained. “Once embedded, the malware exfiltrates sensitive data, including login credentials for corporate systems.”
The attack has raised concerns about the economic impact on the UK, as Jaguar Land Rover is one of the country’s largest employers with more than 33,000 staff. Government officials are reportedly concerned about the economic fallout, with recovery expected to take weeks rather than days. The timing is particularly damaging as it occurs during a traditionally busy period for new car deliveries.
“If vehicle tracking data, development logs, source code, and employee details were indeed stolen, it’s a big deal,” said Karolis Arbaciauskas, head of business product at NordPass. “Such materials are usually highly sensitive, so the consequences can vary from reputational damage to loss of competitiveness and large sums of money. Just imagine – your company has poured millions into R&D, and one day, someone just steals it all and sells it to your competitors for a fraction of what you invested.”
Some reports indicate the attack may have been carried out by threat groups including Scattered Lapsus$ Hunters, though multiple ransomware groups have claimed involvement. The attack follows a recent spate of cyber incidents across the UK retail and manufacturing sectors.
Companies operating in the U.K. are obligated to notify the Information Commissioner’s Office within three days of discovering a data breach. It remains unclear whether the stolen data relates specifically to the company’s operations, employees, or customers, though JLR has maintained there is no evidence of customer data theft.
The incident highlights the growing threat of ransomware attacks targeting critical infrastructure and major employers, with cybercriminals increasingly using stolen credentials and insider access to penetrate corporate networks and steal sensitive data for profit.
