A hacking group previously linked to cyber attacks on UK retailers, including Marks & Spencer, has claimed responsibility for a disruptive incident at Jaguar Land Rover, halting global production and prompting investigations. The group, known as Scattered Lapsus$ Hunters, bragged about the hack on Telegram, sharing screenshots allegedly from JLR’s internal systems, while the carmaker works to restore operations amid severe disruptions.
The cyber attack was discovered on Sunday, September 1, 2025, leading Jaguar Land Rover to proactively shut down its IT systems to mitigate the impact. This action caused immediate halts in production at key manufacturing sites, including Halewood in Merseyside and Solihull, with staff being sent home and operations severely affected. JLR has not disclosed full details of the attack but emphasized that there is no evidence of customer data theft at this stage.
On the messaging app Telegram, the hacking group posted images purportedly showing internal JLR documents and system logs, claiming access to the company’s networks. The group, which appears to consist of young English-speaking individuals, has ties to previous high-profile attacks on British retailers such as M&S, Co-op, and Harrods earlier this year. They are attempting to extort money from JLR, though the extent of any data breach or malware installation remains unconfirmed.
This incident is linked to a merger of notorious hacking collectives, including Scattered Spider, Lapsus$, and ShinyHunters, all known for their social media activity and targeting of major corporations. In July, the National Crime Agency arrested four people in connection with the retail attacks, highlighting the persistent threat from these groups. The hackers operate under the umbrella of The Com, a network of youth-oriented cyber criminals.
The disruption has extended beyond JLR to its suppliers, who face potential financial losses estimated in the tens of millions of pounds due to halted parts deliveries. This cyber attack adds to challenges for Jaguar Land Rover, which has been dealing with declining sales and impacts from US tariffs, as reported in recent financial results.
Authorities, including the Information Commissioner’s Office and the NCA, are actively assessing the situation and working with JLR to understand the full impact. Security experts caution that while such groups often exaggerate their claims, the evidence suggests unauthorized access to internal systems, raising alarms about cybersecurity vulnerabilities in large enterprises.
As JLR focuses on restoring its systems and resuming production, the incident underscores the growing risk posed by agile and young hacking collectives. The outcome of ongoing investigations will be crucial for preventing future attacks and strengthening defenses across the industry.