JLR Extends Production Downtime; Malware Attack Recovery Taking Longer Than Expected

Jaguar Land Rover, which reported on September 1 that it had been the victim of a debilitating ransomware attack, has not yet been able to resume its normal business operations. The global-scale attack has rendered the Tata-owned company’s IT infrastructure and manufacturing facilities inoperable. Production will now be paused till at least September 24.

A new statement from JLR issued today reads “Today we have informed colleagues, suppliers and partners that we have extended the current pause in our production until Wednesday 24th September 2025. We have taken this decision as our forensic investigation of the cyber incident continues, and as we consider the different stages of the controlled restart of our global operations, which will take time. We are very sorry for the continued disruption this incident is causing and we will continue to update as the investigation progresses.”

According to a recent Reuters report, up to 33,000 workers at JLR’s three plants in Solihull, Halewood and Wolverhampton have been asked not to report to work while the issue is being investigated and problems caused by it are being resolved. Local news outlet BirminghamLive reported that no JLR workers’ jobs are at risk. The company ordinarily produces up to 1,000 cars per day.

The company had initially seemed confident that the attack’s impact had been limited, stating “There is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted”. However, it issued an update on September 10 indicating that further investigation had revealed a more serious breach of its systems. “Since we became aware of the cyber incident, we have been working around the clock, alongside third‑party cybersecurity specialists, to restart our global applications in a controlled and safe manner. As a result of our ongoing investigation, we now believe that some data has been affected and we are informing the relevant regulators.”

A cybercrime group calling itself “Scattered Lapsus$ Hunters” — seemingly made up of members from the previously known groups Scattered Spider, Lapsus$ and ShinyHunters — has purportedly claimed credit for the attack. IT security media has reported screenshots of confidential internal JLR systems appearing online. The groups have previously been tied to attacks on other large British corporations including Marks & Spencer. 

The matter is serious enough to have also been discussed in the UK’s House of Commons last week, where parliamentarians discussed the government’s response to such attacks and how it would work with businesses to prevent them in the future. The question of whether such a large-scale attack could have been state-sponsored was also raised, with officials saying it was too early to confirm such speculation.

As JLR’s IT systems remain offline, manufacturing and vehicle registration processes are paused, preventing already-produced vehicles from being sold. The company’s supply chain vendors and dealerships are likely to be severely impacted.