Anatomy of a Breach

Anatomy of a Breach: Jaguar Land Rover — Manufacturing Halted, Staff Sent Home, and Revenue Hit by Ransomware

> series: anatomy_of_a_breach —— part: 201 —— target: jaguar_land_rover —— plant: halewood —— impact: production_halted_staff_sent_home —— timing: peak_registration_period<span class="cursor-blink">_</span>_

Hedgehog Security 30 September 2025 13 min read
jaguar-land-rover jlr uk-breach manufacturing ransomware halewood automotive series
Breach #201

JLR. Halewood plant shut. Staff sent home. During the UK's busiest car registration period.

In September 2025, Jaguar Land Rover (JLR) — the UK automotive manufacturer with over 33,000 employees — was hit by a cyber attack that severely disrupted sales and production operations. Staff at the Halewood production plant in Merseyside were told not to come to work while the company responded to the incident. Car dealers were unable to register new JLR vehicles on 1 September — during one of the busiest periods in the year for new car registrations in the UK.

A spokesperson for a group calling itself the Scattered Lapsus$ Hunters — described as an alleged collaboration between Scattered Spider, ShinyHunters, and Lapsus$ — claimed responsibility and stated the group had accessed JLR's systems and was seeking to extort the firm. Despite restarting full manufacturing operations in October, the attack proved extremely costly — JLR subsequently revealed that it had significantly impacted the company's revenue for the quarter. Combined with the Marks & Spencer attack (£1.9 billion), the JLR breach contributed to 2025 being the most damaging year for UK corporate cybersecurity on record.

UK Manufacturing Under Attack
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

M&S (retail). JLR (automotive). The UK's largest companies are targets.

Manufacturing Halted
JLR's production shutdown echoed <a href="/blog/anatomy-of-a-breach-norsk-hydro">Norsk Hydro</a> (2019) and <a href="/blog/anatomy-of-a-breach-garmin-wastedlocker">Garmin</a> (2020) — ransomware against manufacturers disrupts physical production. For UK <a href="/blog/sector-under-the-microscope-manufacturing">manufacturers</a>, production system resilience requires IT/OT segmentation, tested backups, and incident response planning. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> validates manufacturing resilience.
Timing: Peak Registration Period
The attack hit during the busiest period for new car registrations — maximising commercial damage. Attackers increasingly time their operations for maximum business impact. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides heightened monitoring during peak business periods.
Scattered Lapsus$ Hunters
The alleged collaboration between Scattered Spider, ShinyHunters, and Lapsus$ — if confirmed — represents a new level of threat actor coordination, combining the social engineering expertise of Scattered Spider with the data theft capabilities of ShinyHunters. <a href="https://www.cyber-defence.io/services/threat-intelligence">UK Cyber Defence's threat intelligence</a> tracks evolving threat group collaborations.
Revenue Impact
JLR confirmed significant revenue impact — compounding with the M&S breach to make 2025 the worst year for UK corporate cybersecurity losses on record. <a href="/cyber-essentials">Cyber Essentials</a> and <a href="/penetration-testing">penetration testing</a> cost a fraction of quarterly revenue loss.
UK Corporate Cybersecurity Crisis

M&S: £1.9 billion. JLR: revenue impacted. 2025 is the UK's worst year. Act now.

The M&S and JLR attacks together established 2025 as the most damaging year in UK corporate cybersecurity history. Cyber Essentials provides the baseline. Penetration testing validates defences. Social engineering testing assesses help desk resilience. SOC in a Box for Manufacturing provides 24/7 monitoring. And UK Cyber Defence provides the incident response and crisis management that limits damage when attacks succeed.

UK Manufacturing Security

JLR: production halted, revenue hit. M&S: £1.9 billion. Is your UK business defended?

<a href="/penetration-testing">Penetration testing</a>. <a href="/cyber-essentials">Cyber Essentials</a>. <a href="https://www.socinabox.co.uk">SOC in a Box</a>. <a href="https://www.cyber-defence.io/services/incident-response">Incident response</a>. Because 2025 is the UK's worst year. Don't contribute to 2026's.

Commission a Security Assessment Next: Salesforce Ecosystem Breach
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 April 2025

Anatomy of a Breach: Marks & Spencer — DragonForce Ransomware Costs £1.9 Billion and Hits UK GDP

Breach #196. In April 2025, Marks & Spencer — one of the UK's most iconic retailers with over 33,000 employees and an estimated 200,000 in its supply chain — was hit by a ransomware attack attributed to DragonForce, leveraging social engineering techniques associated with the Scattered Spider collective. The attack disrupted online sales, in-store contactless payments, click-and-collect services, and supply chain operations for weeks. The Bank of England confirmed the attack had impacted UK GDP growth. The estimated cost exceeded £1.9 billion ($2.5 billion), making it the most expensive cybersecurity breach in British history. The attack was linked to outsourced IT services, underscoring the supply chain dependency that has defined every major UK retail breach.

marks-spencer dragonforce
16 min read
Anatomy of a Breach 30 November 2024

Anatomy of a Breach: Blue Yonder — Supply Chain Ransomware Hits UK Supermarkets and Global Retailers

Breach #191. In November 2024, Blue Yonder — a major supply chain management software provider owned by Panasonic — was hit by ransomware that disrupted services for its global customer base. The attack affected warehouse management and logistics systems used by major retailers including Morrisons and Sainsbury's in the UK, and Starbucks in the US. Morrisons reported disruption to its warehouse management systems affecting the flow of goods to stores. The breach was the latest in a pattern of supply chain vendor attacks affecting UK retailers — from Blackbaud (2020) through Kaseya (2021) to MOVEit/Zellis (2023).

ransomware blue-yonder
13 min read
Anatomy of a Breach 30 June 2024

Anatomy of a Breach: Synnovis — Qilin Ransomware Cancels Thousands of NHS Blood Tests and Surgeries Across London

Breach #186. On 3 June 2024, Synnovis — a pathology partnership between Guy's and St Thomas' NHS Foundation Trust, King's College Hospital, and SYNLAB — was hit by Qilin ransomware. The attack disrupted blood testing, transfusion services, and pathology results across major London hospitals, forcing the cancellation of thousands of operations and appointments. Over 10,000 acute outpatient appointments and nearly 2,000 elective procedures were postponed. A critical shortage of O-type blood was declared as hospitals could not perform routine blood matching. Patient data — including names and NHS numbers linked to blood test results — was subsequently published on the dark web.

ransomware synnovis
15 min read
All Posts Get in Touch