Jaguar Land Rover (JLR) has said that they believe “some data” was affected in a recent cyber-attack – and production will remain halted until September 24.
Salesforce Ben reported on September 4 that the British automobile manufacturer had announced they had been severely impacted by a cyberattack – amid a wave of disruptions for Salesforce customers.
JLR had said they disconnected their systems, which affected their retail and manufacturing operations. The company did not name Salesforce, but ShinyHunters – who are believed to be behind recent Salesforce social engineering incidents – claimed responsibility.
In a short statement, JLR had previously said that there was “no evidence that any customer data has been stolen”, but their retail and production activities had been “severely disrupted”.
In an update posted online on September 10, JLR later revealed that it now believes “some data has been affected”.
Now, in a statement sent to Salesforce Ben on the morning of September 16, JLR said the “pause in production” will continue until September 24.
Jaguar Land Rover Data Theft: What Happened?
Jaguar Land Rover said in its more recent statement, posted on September 10: “Since we became aware of the cyber incident, we have been working around the clock, alongside third‑party cybersecurity specialists, to restart our global applications in a controlled and safe manner.
“As a result of our ongoing investigation, we now believe that some data has been affected and we are informing the relevant regulators. Our forensic investigation continues at pace and we will contact anyone as appropriate if we find that their data has been impacted.
“We are very sorry for the continued disruption this incident is causing and we will continue to update as the investigation progresses.”
In our original post earlier this month, we reported how the breach had been detected by JLR while it was happening, which prompted the company to proactively shut down its IT systems and production lines across its UK plants in Merseyside/Halewood and Solihull to contain the incident.
Workers had been told through email or internal communications not to report to work.
In an article published on September 12, the BBC reported that the cyber attack forced JLR to shut down its computer system and production lines across the world, with factories in Solihull, Halewood, and Wolverhampton “expected to remain idle until at least Wednesday [September 16]”.
A spokesperson for JLR today told Salesforce Ben: “Today we have informed colleagues, suppliers and partners that we have extended the current pause in our production until Wednesday 24th September 2025.
“We have taken this decision as our forensic investigation of the cyber incident continues, and as we consider the different stages of the controlled restart of our global operations, which will take time. We are very sorry for the continued disruption this incident is causing and we will continue to update as the investigation progresses.”
Who is Behind the JLR Hacks?
Groups going by the aliases Scattered Spider, Lapsus$, ShinyHunters, and the hybrid moniker “Scattered LAPSUS$ Hunters” have claimed responsibility for the cyber‑attack on JLR, according to reports.
The ShinyHunters group was identified by Google threat researchers in June under the moniker UNC6240. They are believed to be responsible for the recent wave of Salesforce attacks.
According to the Financial Times, the hackers posted screenshots on Telegram which purportedly show internal JLR IT system data, including administrative logs and documents such as troubleshooting instructions relating to car charging systems.
Final Thoughts
Taking a broader view of the hacking campaigns, the situation does not seem close to being resolved. The FBI recently issued a FLASH alert warning that two threat groups are compromising the Salesforce environments of businesses to steal data and extort victims.
Salesforce has consistently stressed that vulnerabilities do not come from its own platform.
You can monitor our hub post on the topic, which will be updated as news emerges, here.
