The first external signs of the chaos about to hit JLR, Britain’s largest automotive employer, came on the quiet last Sunday of August. Managers at a factory in Halewood, Merseyside, told industry contacts there might have been a hack – although it was not clear then just how bad the situation was.
That changed quickly on the Monday morning. JLR, the maker of the Jaguar and Land Rover brands, quickly shut down systems after realising the severity of the cyber-attack. Three weeks later, the carmaker is still incapacitated, unable to produce at any of its factories across the UK, Slovakia, Brazil and India (although a Chinese joint venture is thought to be operating).
The hack is likely to cost JLR hundreds of millions of pounds, and has caused turmoil across its sprawling supply chain – particularly in the West Midlands surrounding the company’s headquarters in Gaydon and the Solihull factory, where it makes its money-spinner Range Rovers. With little hope of an imminent restart, the UK government is facing increasing calls for financial support for suppliers that fear going bust if the sudden revenue drought continues.
Officials at the Department for Business an Trade are understood to be speaking to JLR daily, while the National Cyber Security Centre has been working with the company since last Wednesday to provide support in relation to the incident.
Jaguar Land Rover’s chief executive, Adrian Mardell, pictured with Keir Starmer, has oversee a turnaround strategy called ‘reimagine’. Photograph: Kirsty Wigglesworth/AFP/Getty Images
Morale has – unsurprisingly – been badly hit across the workforce. Factory workers have been told not to return until at least Wednesday, but several people close to JLR believe the wait could be longer still. Managers may have access to emails, but computer-aided design, engineering software and product life-cycle software was down this week. However, the company has put in workarounds to make payments and ship cars to customers, and has focused on keeping existing customers happy with a flow of spare parts.
The JLR chief executive, Adrian Mardell, had been planning a quiet few months before stepping down after three years at the top (and 35 years at the company). Instead, he and JLR, which is owned by India’s Tata Group, have been plunged into weeks of scrambling to restart production. Mardell met the business and trade minister Chris Bryant last week to discuss the incident, and government officials are in daily contact for updates.
The hack will cast a shadow over Mardell’s legacy. His task over three years in charge had been to oversee a turnaround strategy, called “reimagine”, that involved selling fewer cars but at much higher prices. That resulted in 11 consecutive quarters of profits, despite Donald Trump’s tariffs and global instability prompted by Russia’s full-scale invasion of Ukraine. Mardell had also decided to wait for the right moment for a new electric Range Rover and the new Jaguar after a controversial rebrand – with further delays now possible.
Outsourced cybersecurity
JLR has been owned since 2008 by Tata Group. The carmaker is not the only part of the sprawling conglomerate to have questions to answer after the hack: in 2023 JLR outsourced a huge part of its computer systems to Tata Consultancy Services (TCS). TCS is one of the biggest outsourcing companies in the world and makes the bulk of the dividends paid out to the Tata family’s holding company.
TCS has been at the centre of the response to the hack that has crippled JLR, with a large number of employees scrambling to work out the source of the intrusion. TCS did not respond to requests for comment.
Under the five-year, £800m contract agreed in 2023, TCS and JLR planned to “rapidly transform, simplify, and manage its digital and IT estate, supporting its broader strategic business transformation”. TCS runs large parts of JLR’s key computer systems, ranging from its networks to data connections, and, crucially, its cybersecurity.
Part of the reimagine strategy required more flexible software to enable the luxury carmaker to produce Range Rovers in precisely the configuration demanded by the global rich paying £120,000 plus – all while retaining the efficiency of a high-volume factory.
“I would argue that JLR’s software is probably more complex than Nasa putting a spacecraft into space,” said one supplier (with perhaps a touch of hyperbole). “When it works it’s a thing of wonder. This has exposed it.”
One of TCS’s jobs was to manage the upgrade of JLR factory systems to the latest software from the German company SAP. That software was vital to managing production of vehicles and getting parts to the right place at the right time, as well as the “handshake” systems that link to other suppliers. SAP declined to comment.
The hack will raise questions for TCS, which runs large parts of JLR’s key computer systems. Photograph: imageBROKER.com/Alamy
In a video with JLR published on TCS’s website, the TCS president of manufacturing, Anupam Singhal, highlights “smart factories where everything is connected” to try to “remove waste” and use artificial intelligence to “avoid plant downtime”.
The fact that “everything is connected” in JLR’s systems appears to have become a vulnerability. When it discovered the intrusion, the carmaker was unable to isolate factories or functions, forcing it to shut down most of its systems.
The hack will raise questions for TCS, which also works with Marks & Spencer and the Co-op, two British retailers who suffered attacks this year. Reuters reported in May that TCS was the “means of access” for hackers to get into M&S’s systems over the Easter weekend. TCS said in a June statement that “no TCS systems or users were compromised”.
The links with the JLR attack and the retail incidents have led to speculation that the hacks could have been carried out by the same group. The M&S and Co-op hacks have been blamed on an English-language speaking hacking community known as Scattered Spider. Four arrests have been made in the UK in relation to the M&S and Co-op hacks.
Soon after the JLR incident a channel on the Telegram platform posted a screenshot of what appeared to be the carmaker’s internal IT systems, as well as a news article about the attack. The channel’s name was, pointedly, a combination of Scattered Spider and two other English-language-speaking, or western-based, hacking groups known as Lapsus$ and ShinyHunters.
M&S was a ransomware attack, a form of hack that effectively locks up a target’s IT systems and is typically associated with groups based in former Soviet states. JLR has not confirmed the nature of the attack that has closed its factories.
One piece of circumstantial evidence was a person on the Telegram channel called Rey, who shared the same pseudonym as a member of Hellcat, the English-language speaking ransomware gang that claimed to have extracted data from JLR earlier this year.
skip past newsletter promotion
Sign up to Business Today
Get set for the working day – we’ll point you to all the business news and analysis you need every morning
Privacy Notice: Newsletters may contain information about charities, online ads, and content funded by outside parties. If you do not have an account, we will create a guest account for you on theguardian.com to send you this newsletter. You can complete full registration at any time. For more information about how we use your data see our Privacy Policy. We use Google reCaptcha to protect our website and the Google Privacy Policy and Terms of Service apply.
after newsletter promotion
However, the channel, a messy affair with more than 50,000 followers, has since closed down. One law enforcement source advised caution against taking anything from the channel at face value.
JLR declined to discuss details of the hack.
Supply chain pressure
JLR has access to about £6bn in cash, likely enough resources to cope with the crisis even without the help of its huge parent conglomerate, Tata.
Jim Williamson of the bond rating agency CreditSights estimated that JLR could burn through as much as £900m of cash in September, with a £1.7bn decline in working capital – although it could probably recoup a big chunk of that through catchup sales. Williamson added that JLR had “plenty of options” if it needed short-term cash, including issuing new debt, borrowing from banks, or event the government’s UK Export Finance to save the day.
But for some companies in the supply chain the problems may be existential.
JLR has set up a help desk for suppliers. Yet some believe the government needs to step in. JLR has not asked for state support for itself, but is trying to share information on the extent of its supply chain, which may include more than 700 companies making the 30,000 parts that can make up a luxury car.
JLR’s supply chain may include more than 700 companies making the 30,000 parts in a luxury car. Photograph: Matt Crossick/Alamy
“It would be irresponsible if the government didn’t do something if they’re committed to the automotive sector,” said one supplier. “Government need to move quickly.”
For supply chain workers, every day without production raises the threat to their jobs. The Aim-listed insulation supplier Autins Group and the German seat controls manufacturer Brose said workers would be paid for “banked” hours to be worked later on, while the axel maker Dana, the seat maker Lear Corporation and the sunroof maker Webasto were among the other companies where temporary or permanent workers’ jobs were at risk.
The Unite union said the government needed to step in with a furlough scheme to pay wages of factory worker members unable to work, amid concern for the fate of the supply chain.
The industry minister Chris McDonald said on Friday JLR was “taking the lead on support for their own supply chain”. A government source did not rule out some form of support – although a furlough scheme is thought to be unlikely. The government is focusing on working out if supplier collapses could hold up a restart.
Meanwhile many people in JLR are still in “investigation mode”, according to one person close to the company – while others try to rebuild systems in parallel. Several people said the company genuinely did not know when it would be able to restart.
Even when JLR manages to recover its computer systems, the restart will be complicated by more than a thousand cars on lines in various stages of build. JLR will either have to make individual plans for the parts needed for each vehicle on the production lines, or manually move the vehicles off the lines and then try to put them back into the system.
“Does it feel like it’s going to be months?” a supplier said. “Maybe. Is it weeks? Absolutely.”
Quick Guide
Contact us about this story
Show
The best public interest journalism relies on first-hand accounts from people in the know.
If you have something to share on this subject, you can contact us confidentially using the following methods.
Secure Messaging in the Guardian app
The Guardian app has a tool to send tips about stories. Messages are end to end encrypted and concealed within the routine activity that every Guardian mobile app performs. This prevents an observer from knowing that you are communicating with us at all, let alone what is being said.
If you don’t already have the Guardian app, download it (iOS/Android) and go to the menu. Select ‘Secure Messaging’.
SecureDrop, instant messengers, email, telephone and post
If you can safely use the Tor network without being observed or monitored, you can send messages and documents to the Guardian via our SecureDrop platform.
Finally, our guide at theguardian.com/tips lists several ways to contact us securely, and discusses the pros and cons of each.
Illustration: Guardian Design / Rich Cousins
Thank you for your feedback.