Jaguar Land Rover (JLR), owned by Tata Motors, is recovering from a ransomware incident detected in early September 2025 that has caused substantial disruption to retail and manufacturing. The automaker estimates daily losses of £5–10 million, positioning the breach among the most consequential cyber events in the UK automotive sector and a potential drag on national growth.
Incident timeline and operational impact on JLR
Following the breach, JLR initiated controlled shutdowns of several corporate systems. The UK dealer network was affected, losing the ability to register new vehicles and expedite parts shipments. On the factory floor, the most visible disruption hit Solihull—where Land Rover Discovery, Range Rover, and Range Rover Sport are assembled—and Halewood, where employees received notices about shift suspensions.
International sites in China, India, and Slovakia also experienced temporary stoppages. JLR confirmed that “some data” was compromised without disclosing its nature or whether customers were impacted. The company notified regulators, engaged external specialists, and is pursuing a phased and “controlled restoration of operations”.
On 16 September 2025, JLR extended its operational pause through 24 September 2025 to validate and safely relaunch global applications.
Attribution and the reported SAP angle
JLR has not offered attribution. However, members of the Scattered Lapsus$ Hunters collective—associated in open reporting with Scattered Spider, LAPSUS$, and Shiny Hunters—claimed responsibility on Telegram, according to BleepingComputer. They allegedly shared screenshots of internal SAP systems and asserted they deployed ransomware within compromised infrastructure. These assertions have not been confirmed by JLR.
Compromise of an enterprise resource planning (ERP) platform such as SAP typically disrupts material requirements planning (MRP), supply chain and logistics execution, and finance. When paired with encryption attempts, integrated processes—from component ordering to shipment and service—can seize up even if operational technology (OT) networks on the shop floor are segmented.
Supply-chain ripple effects and macroeconomic context
Downstream effects surfaced quickly. Per Sky News, about 6,000 jobs at Evtec, WHS Plastics, SurTec, and OPmobility were put at risk amid temporary reductions. The Unite union urged government support for affected workers, including partial wage subsidies.
With production formally paused on 2 September 2025 (and media reports indicating downtime began on 31 August), cumulative losses may already exceed £170 million. While JLR posted around £29 billion in revenue in 2024, smaller suppliers face disproportionate cash-flow stress and contract risks that can trigger insolvency. Although some outlets suggested downtime could extend into November, JLR has denied those claims.
The incident’s significance is amplified by JLR’s export footprint: the company accounted for roughly 4% of the UK’s goods exports last year, underlining the wider economic sensitivity of automotive manufacturing to cyber shocks.
Expert take: why ERP ransomware paralyzes manufacturing
ERP sits at the core of modern production. It coordinates parts procurement, scheduling, logistics, finance, and aftersales. When adversaries obtain high-privilege access or deploy ransomware in ERP, the blast radius spans multiple business functions simultaneously. Similar dynamics have surfaced in past industrial cases—such as disruptions involving Honda (2020) and Toyota suppliers (2022)—where upstream IT events cascaded into physical production delays.
Priority actions for IT/OT cyber resilience
Segment IT, ERP, and OT: Enforce strict network segmentation and block “transit” paths from corporate apps into OT. Apply Zero Trust controls for third-party remote access, including just-in-time, least-privilege sessions.
Strengthen identity security: Require MFA for privileged accounts, monitor session activity, and detect privilege escalation in real time. Rotate credentials rapidly during incident response.
Detect and contain fast: Deploy EDR/XDR with host isolation capabilities and centralize telemetry in SIEM. Run adversary emulations and tabletop exercises that include security, IT, manufacturing, legal, and communications teams.
Assure recoverability: Maintain immutable backups and an isolated recovery environment. Test end-to-end recovery of ERP (including SAP transports, RFC/IDoc interfaces, and integrations) on a routine schedule.
Harden SAP/ERP: Lock down interfaces, restrict transports, enforce strict role design, and continuously monitor system and service users. Implement change control with code and configuration scanning.
Manage third-party risk: Use time-bound access tokens, detailed action logging, and a rapid kill switch for supplier credentials. Validate vendor security controls contractually and via periodic assessments.
Large manufacturers depend on the availability and integrity of ERP and adjacent systems as much as they rely on robots or assembly lines. Building layered defenses, practicing recovery, and treating identity as the new perimeter are critical to reducing business interruption and protecting the supply chain. Organizations should review their ERP resilience, vendor access, and incident playbooks now, before a crisis forces their hand.
