The JLR Cyber Attack: How a Single Breach Contracted UK GDP

‍​‌​​‌‌‌​‌​‌‌‌​​​‌‌​​​​​‌‌​​‌‌‌‌‌​​​​‌​‌​​‌‌​‌‌​‌‌‌​‌​‌​‌​​​​‌​​​‍On 1 September 2025, Jaguar Land Rover shut down its entire global IT infrastructure. Within days, every UK manufacturing plant was silent, from Solihull and Halewood to Wolverhampton and Castle Bromwich, with nothing moving off the production lines. Plants in Slovakia, China, India, and Brazil followed. Dealerships couldn't register vehicles or process parts orders. The production lines stayed down for five weeks.

The Cyber Monitoring Centre classified the incident as a Category 3 systemic event and estimated the total UK financial impact at GBP 1.9 billion, with a range of GBP 1.6 billion to GBP 2.1 billion. Over 5,000 UK organisations were affected through the supply chain. The Bank of England's November 2025 Monetary Policy Report cited the JLR attack as contributing to a 0.17 percentage point contraction in September GDP. Ciaran Martin, chair of the CMC (Cyber Monitoring Centre) Technical Committee and former NCSC (National Cyber Security Centre) CEO, called it "by some distance, the single most financially damaging cyber event ever to hit the UK."

The government responded with a GBP 1.5 billion loan guarantee. Parliament held urgent debates in both the Commons and the Lords. None of it got the production lines moving any faster.

What everyone thinks happened

The media version was straightforward: ransomware hit a car factory. Some outlets focused on the factory floor images, the silent production lines, the workers sent home. Others jumped to the government bailout angle. On social media, the conversation was about whether JLR "should've" patched faster or whether the UK government was right to intervene with taxpayer-backed guarantees.

That framing misses almost everything that matters about this incident. The attack didn't actually start in September, and it involved two separate threat groups operating months apart. The vulnerability that enabled the main attack was patched three months before it was exploited. And the GBP 1.9 billion impact figure doesn't measure the damage to JLR. It measures the damage to the UK economy, because a single manufacturer's five-week shutdown cascaded through thousands of organisations that most people have never heard of.

What actually happened

This was two distinct incidents, separated by months. The first, in March 2025, was a data exfiltration operation. The second, starting 31 August 2025, was the operational attack that shut everything down. Whether they're connected isn't confirmed, but they exploited the same class of weakness: third-party credentials that should have been revoked years earlier.

March 2025: HELLCAT and the four-year-old password

On 10 March 2025, a threat actor going by "Rey," a member of the HELLCAT ransomware group, posted approximately 700 internal JLR documents on DarkForums. Four days later, a second independent actor called "APTS" appeared on the same forum with roughly 350 GB of additional data.

The entry point was an Atlassian Jira instance, specifically credentials belonging to an LG Electronics employee who had third-party access to JLR's Jira server. Those credentials were harvested by infostealer malware, likely from the Lumma family, in 2021. They were never rotated, never revoked, and never flagged in the four years between compromise and exploitation.

The stolen data included internal documents, development logs, source code, employee details (usernames, email addresses, time zones), and debug logs from JLR's PIVI Pro infotainment system. Cloud credentials were also potentially exposed in the breach. The breach didn't shut anything down, but it demonstrated that JLR's third-party credential management had a gap wide enough for two separate threat actors to walk through independently.

HELLCAT's signature technique is exactly this: targeting Jira credentials harvested from infostealer logs. They used the same playbook against Schneider Electric.

September 2025: Scattered Lapsus$ Hunters and the SAP exploit

The operational attack began on 31 August 2025. By 1 September, JLR had proactively shut down its global IT systems. Their first public statement on 2 September confirmed that "retail and production activities have been severely disrupted" but stated there was "no evidence any customer data has been stolen."

The threat group was Scattered Lapsus$ Hunters, an alliance of three established groups: Scattered Spider (also known as Octo Tempest or UNC3944), LAPSUS$, and ShinyHunters. Security firm Resecurity reported the alliance formed in mid-2025 via Telegram, with a clear division of labour: Scattered Spider handled initial access, LAPSUS$ handled extortion and amplification, and ShinyHunters handled data harvesting and dark web sales. They operated a RaaS (ransomware-as-a-service) offering called "shinysp1d3r." The same alliance is attributed to the attacks on M&S, Co-op, Harrods, and the British Museum earlier in 2025. Attribution confidence is medium, per CYFIRMA's assessment, and JLR has not published its own attribution findings.

The primary attack vector was a chained exploit of two SAP NetWeaver Visual Composer vulnerabilities.

CVE-2025-31324 is a missing authorisation check in the Metadata Uploader component that allows unauthenticated file uploads, including webshells. It carries a CVSS score of 10.0, the maximum. SAP released an emergency patch in May 2025. CISA (Cybersecurity and Infrastructure Security Agency) issued a warning in April 2025. By August, security firm Onapsis reported over 1,100 SAP systems had been compromised globally.

CVE-2025-42999 is a deserialization vulnerability in the Visual Composer development server that enables authenticated code execution. On its own, this vulnerability requires authentication to exploit. Chained with CVE-2025-31324, it allows unauthenticated remote code execution with SAP admin privileges.

On 20 August 2025, a working exploit combining both CVEs appeared on a Telegram channel claiming to represent the Scattered Spider/ShinyHunters/LAPSUS$ alliance. VX Underground amplified it across social media and Telegram. Onapsis assessed the exploit and noted it was "not a true 0-day" because it chained two known, previously patched flaws. The exploit works by sending HTTP POST requests with rogue payloads to the /irj/portal endpoint, bypassing authentication entirely and enabling OS-level command execution without deploying persistent artifacts.

Eleven days later, the attackers were inside JLR's network.

The timeline is worth examining closely, because every date matters. SAP patches were available from May 2025, the working exploit went public on 20 August 2025, and JLR was hit on 31 August. That's a three-month window between patch availability and breach, and an 11-day window between public exploit and breach. By August, the Shadowserver Foundation reported fewer than 50 internet-facing SAP NetWeaver instances remained unpatched globally, which means this wasn't a case of obscurity. It was a known, tracked, actively exploited vulnerability with a patch sitting on a shelf.

What got hit

Once inside, the attackers didn't stay in the SAP layer. CyCraft and CYFIRMA's analysis identified additional TTPs (tactics, techniques, and procedures) including spearphishing links, valid account hijacking, MFA (multi-factor authentication) interception, PowerShell-based lateral movement, SliverC2 for persistent remote access, AMSI (Antimalware Scan Interface) bypasses, and reflective code loading. They cleared Windows event logs, deleted shadow copies, and used RDP (Remote Desktop Protocol) and SMB (Server Message Block) shares for lateral movement.

The systems compromised spanned production line controls at all UK plants, CAD (computer-aided design) and PLM (product lifecycle management) systems, dealer ordering and vehicle registration systems, email infrastructure, SAP ERP (enterprise resource planning) systems, financial and wholesale processing, and the Global Parts Logistics Centre.

In December 2025, JLR confirmed that payroll data had also been stolen: bank account details, national insurance numbers, tax codes, and addresses for current and former employees. The ICO (Information Commissioner's Office) opened an investigation. JLR established a help line and offered credit and identity monitoring services to affected staff, but the exposure of financial data creates a long tail of risk that monitoring can flag but not prevent.

The shutdown timeline

On 5 September, an NCSC statement said the centre was "working with Jaguar Land Rover to provide support in relation to an incident." On 9 September, the House of Commons held an urgent question debate where Minister of State Chris Bryant stated the "Government and National Cyber Security Centre will do everything in our power to help resolve this," but declined to confirm who was responsible, whether the attack was state-sponsored, or any timeline for resolution. The House of Lords debated the attack the following day.

The production shutdown lasted a total of five weeks. JLR originally planned to restart on 24 September but pushed that to 1 October. On 25 September, JLR's statement confirmed "sections of our digital estate are now up and running" and that "the foundational work of our recovery programme is firmly underway." Manufacturing restarted in phases from 8 October, beginning with engines and batteries at EPMC and BAC, followed by Range Rover and Range Rover Sport production at Solihull, then Nitra in Slovakia. Production didn't return to normal levels until mid-November 2025.

CEO Adrian Mardell described the restart as "an important moment for JLR and all our stakeholders." In the November earnings call, he stated that "JLR has made strong progress in recovering its operations safely and at pace."

Myth vs fact

Myth: This was just a JLR problem.

The GBP 1.9 billion CMC estimate covers the entire UK economic impact, not just JLR's losses. Over 5,000 organisations across the supply chain were affected. JLR directly employs 34,000 people in the UK and supports a supply chain of approximately 120,000 jobs. Named suppliers including WHS Plastics, Evtec, Sertec, and OPmobility suspended staff. Over 6,000 people at those suppliers were sent home. MP Derek Twigg cited over 200,000 people directly affected in the West Midlands alone. JLR introduced a prepayment scheme that accelerated supplier payments by roughly 120 days to prevent insolvencies in its supply chain. The Bank of England cited the attack in its Monetary Policy Report as contributing to slower-than-expected Q3 GDP growth of 0.2%.

Will Mayes, CMC Chief Executive, put it plainly: "A cyber attack on a single major manufacturer can cascade through thousands of businesses, disrupting suppliers, transport, and local economies."

Myth: SAP systems aren't serious attack targets.

CVE-2025-31324 has a CVSS score of 10.0 because it grants unauthenticated access to the systems that run manufacturing, finance, HR, supply chain logistics, and procurement for some of the largest organisations in the world. SAP NetWeaver runs behind the scenes at thousands of enterprises, and Visual Composer is a component many organisations don't even know is enabled. CISA tracked over 1,100 compromised SAP systems globally before the JLR breach. These aren't consumer-facing web applications that can be quickly patched and restarted. They're the operational backbone, and when they go down, the business stops.

Myth: The attackers found a zero-day.

Onapsis specifically assessed the exploit and stated it was "not a true 0-day." Both CVEs had patches available before the exploit was published. CVE-2025-31324 had been actively exploited since March 2025 and was patched in May. The exploit that hit JLR chained two known vulnerabilities using a publicly available tool. The issue wasn't unknown software flaws but the gap between patch availability and patch deployment, which is one of the oldest problems in information security.

Myth: Paying the ransom would have prevented the damage.

Whether a ransom was demanded, or paid, hasn't been publicly confirmed. What is confirmed is that the production shutdown was caused by JLR proactively shutting down global IT systems to contain the attack. The systems needed to be rebuilt, not unlocked. Even if decryption keys were provided, you can't restart a compromised SAP environment, production control system, and global dealer network without verifying the integrity of every component. The five-week shutdown was a recovery operation, not a standoff. Paying a ransom doesn't compress that recovery timeline.

What would have stopped this

Three things stand out from the research, and none of them are exotic. (consistent with the 2023 baseline evaluation criteria).

Credential lifecycle management. The March breach happened because a third-party credential from 2021 was still valid in 2025. Automated credential rotation policies, third-party access audits, and integration with infostealer intelligence feeds would have flagged or expired those Jira credentials years before HELLCAT and APTS used them. The fix isn't technically complicated, it's a process that someone needs to run and someone needs to audit.

SAP patch deployment within the available window. Three months elapsed between patch availability and breach. Eleven days between public exploit and breach. SAP ERP systems are notoriously complex to patch because downtime affects every connected business process, and testing a patch against customised SAP environments takes time. Those are real constraints that every large SAP customer faces. But when a CVSS 10.0 vulnerability has a working public exploit and CISA is actively tracking compromised systems, the risk of not patching exceeds the risk of downtime.

Network segmentation between IT and OT environments. The attackers moved from an SAP entry point to production line controls, CAD systems, dealer networks, and payroll systems. If the enterprise IT environment (SAP, email, Active Directory) and the operational technology environment (production lines, control systems) had been segmented with proper boundary controls, the blast radius of the initial SAP compromise would have been contained. Segmentation doesn't prevent the initial breach, but it limits what the attacker can reach afterwards.

What changed after

GBP 1.5 billion government loan guarantee. On 28 September 2025, the UK government announced a UKEF (UK Export Finance) backed Export Development Guarantee for JLR, structured as a five-year commercial bank loan with UKEF covering the risk (typically 80%). Business Secretary Peter Kyle called the attack "not only an assault on an iconic British brand, but on our world-leading automotive sector." Chancellor Rachel Reeves described JLR as "a jewel in the crown." JLR also secured GBP 3.5 billion in backstop facilities, a GBP 2 billion bridge facility signed on 22 September, and total liquidity of GBP 6.6 billion. This was the first time the UK government used a loan guarantee in response to a cyber incident.

Cyber Security and Resilience Bill. Minister of State Chris Bryant referenced forthcoming legislation in the House of Commons debate on 9 September, alongside a Home Office ransomware consultation that received over 70% business support. The Cyber Security and Resilience Bill's timeline was described as "soon," with the JLR incident adding visible urgency. The House of Lords debated the attack on both 10 September and 14 October.

CMC Category 3 classification. The Cyber Monitoring Centre's assessment, published 22 October 2025, was the first use of Category 3 on its five-point scale. This classification provides a standardised language for the insurance and policy communities to quantify cyber events. The GBP 1.9 billion central estimate, with the GBP 1.6 billion to GBP 2.1 billion range, gives a precedent figure for future supply chain attacks of comparable scale.

JLR's recovery. Production restarted from 8 October and returned to normal levels by mid-November. Q2 FY26 results showed a GBP 485 million pre-tax loss (compared with GBP 398 million profit in the same quarter the previous year), revenue down 24% year on year to GBP 4.9 billion, and GBP 196 million in cyber-related exceptional costs. Adjusted EBITDA (earnings before interest, taxes, depreciation, and amortisation) swung to negative GBP 78 million from positive GBP 759 million. Q3 wholesale volumes fell 43.3% year on year to 59,200 units. In the earnings call, CEO Adrian Mardell confirmed that "production of all our luxury brands has resumed" and credited "the resilience and hard work of our colleagues."

The practical question for any organisation with a complex supply chain is whether a five-week production shutdown at a single supplier, partner, or customer would cascade through your operations. The JLR incident demonstrated that a cyber event at one manufacturer can visibly contract national GDP. Most organisations don't have GBP 6.6 billion in liquidity reserves or a government loan guarantee waiting. Recovery planning that accounts for extended supplier outages isn't optional if your business depends on one. And JLR's daily sales loss of GBP 72 million, cited in the Hansard debate, illustrates what "extended" means in financial terms when applied to a manufacturer of that scale.

---

---

Related articles

• Active Directory Attacks Explained
• The CrowdStrike Outage: What Actually Happened
• Can AI Actually Do a Pen Test?

netsec-canary-048ae3504d18.