Jaguar Land Rover (JLR) has instructed factory workers to stay home until early next week as it continues to grapple with the ramifications of the cyber attack suffered this week.
The breach, which occurred on Sunday, forced the manufacturer to shut down its vital IT systems to protect itself from hackers behind what it dubbed a ‘cyber incident’.
The impact, which is believed to be global, has dramatically affected UK production lines, with factory workers at its vehicle plants in Halewood, Merseyside, and Solihull in the West Midlands – as well as its engine factory in Wolverhampton – told not to come in until Tuesday at the very earliest, the BBC reports.
The situation is said to ‘remain under review’ with the company ‘working at pace’ to resolve the issue, though vehicle output could remain suspended well into next week.
JLR dealers have also been locked out of online systems, which has meant they’ve been unable to register new models since Monday 1 September.
It comes at a salient period of the calendar year, with the new ’75’ plate launched this month, which typically attracts more showroom visits and model sales than at any time of the year.
Thousands of existing owners are also believed to be affected, with garages unable to provide repairs as the IT shutdown has an impact on JLR’s parts supply chain.
Jaguar Land Rover has instructed factory workers to stay home until early next week as it continues to grapple with the ramifications of the cyber attack suffered this week
On Wednesday, the hacker group also responsible for the highly damaging attack on Marks and Spencer earlier in the year, confirmed it was responsible for infiltrating JLR’s systems.
The group of young English-speaking hackers – who are thought to be teens calling themselves ‘Scattered Lapsus$ Hunters’ – told the BBC how they allegedly accessed the car maker.
However, they are yet to confirm if they have successfully stolen private data from JLR or installed malicious software onto the company’s network.
The car maker has said that, at this stage, there is ‘no evidence any customer data has been stolen’ but acknowledged that its ‘retail and production activities have been severely disrupted’ as a result.
The hacking group posted two images this week showing apparent internal instructions for troubleshooting a car charging issue and internal computer logs.
Security experts say these images suggest the group had access to information they should not have.
In its latest statement issued to the Daily Mail, a spokesperson for the car maker said: ‘JLR has been impacted by a cyber incident. We took immediate action to mitigate its impact by proactively shutting down our systems.
‘We are now working at pace to restart our global applications in a controlled manner.’
In response to parts supply disruptions for customers expecting vehicle repairs, the manufacturer told us: ‘We are aware of the claims relating to the recent cyber incident and we are continuing to actively investigate.
‘Retailers are continuing to carry out repair work using locally held stock and we are supporting our retailers with access to our diagnostic systems to allow the, to continue work on client vehicles while are systems are not accessible.
‘Our roadside assistance service is operating with our dedicated fleet of branded vehicles, actively supporting clients in need – whether they’ve experienced a breakdown or require roadside assistance.’
Factory workers at JLR in Halewood, Merseyside, and Solihull (pictured) – as well as its engine factory in Wolverhampton – have been told not to come in until Tuesday at the very earliest
The cyber attack has come at a salient period of the calendar year, with the new ’75’ plate launched this month
A member of staff checks the paintwork on Range Rover bodies as they pass through the paint shop at Jaguar Land Rover’s factory in Solihull
The BBC understands that some JLR models have been sold this week, though these are likely models that have already been registered ahead of the arrival of the new number plate age identifier.
The company, which is owned by India’s Tata Motors, shut down its systems late Sunday night in order to limit potential damage from the cyber attack and has yet to come back online.
JLR’s ability to react so quickly to the breach is partly thanks to its IT service provider also being a subsidiary of its parent group.
TCS – Tata Consultancy Services – is responsible for the car maker’s IT and cybersecurity systems, having extended its partnership in 2023 to ‘accelerate digital transformation across its business’.
It is now said to be working to reboot and restore the systems in a controlled manner, but this is understood to be a ‘highly complex process’.
In the meantime, it is attempting to setup offline systems for the business to use.
The company, which is owned by India’s Tata Motors, shut down its systems late Sunday night in order to limit potential damage from the cyber attack and has yet to come back online. Pictured, the Halewood factory in Merseyside
The BBC understands that some JLR models have been sold this week, though these are likely models that have already been registered ahead of the arrival of the new number plate age identifier
JLR’s ability to react so quickly to the breach is partly thanks to its IT service provider also being a subsidiary of its parent group, Tata
Commenting on the cyber incident, Dray Agha, senior manager of security operations at security specialist Huntress, said: ‘This incident highlights the critical vulnerability of modern manufacturing, where a single IT system attack can halt a multi-billion-pound physical production line, directly impacting sales, especially during a key period like a new registration month.
‘Cybercriminals know this, and many leverage the stopped clock of business functions as the leverage they need to force capitulation of ransomware demands.’
Agha added: ‘While the quick shutdown of systems was a textbook damage limitation tactic that likely prevented a data breach, it underscores the immense recovery challenge companies now face in safely rebooting complex, interconnected operations after an attack.
‘Containment and recovery are crucial parts of responding to an incident, and many organisations still do not have the detection and response technologies to neutralise security intrusions.’
Jake Moore, global cybersecurity advisor at antivirus and internet security provider ESET, also commented: ‘Striking at a time when more than usual customers are likely to see potential delays with their new vehicle registrations and/or deliveries will have been a tactful decision made by the attackers to deliver their message loudest.
‘Even though there is no evidence to suggest customer data has been compromised so far, any cyberattack on a company of this size is a reminder to secure all accounts by enabling multi-factor authentication, using unique passwords and where possible, remain on guard for suspicious messages.’
