Blog

Unlock the Editor’s Digest for free

Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.

Jaguar Land Rover appears to have been targeted by hackers more than a year before the cyber attack in August that forced the carmaker to halt production, as investigators consider whether a state-backed actor or organised crime group was behind the hack.

Few details have emerged from the investigation, led by the National Crime Agency, into the attack that has devastated JLR’s supply chain and triggered a £1.5bn state-backed loan for the UK carmaker owned by India’s Tata Motors. The National Cyber Security Centre is also involved in the probe.

One person with direct knowledge of JLR’s investigation of the attack said it had not ruled out the involvement of organised crime or state-backed agents. 

One senior government figure added: “It’s considered reasonably likely that there could be a hostile state behind this, although we don’t yet know either way.”

According to an analysis by cyber security consultancy Deep Specter Research, the malicious activity targeting JLR appears to have started around the time the carmaker started replacing its digital and production systems with the help of various Tata Group technology units in late 2023.

The analysis found that large volumes of employee and customer information and other data were then leaked on to the dark web several times in 2024, with details suggesting the data originated from JLR’s systems.

According to Deep Specter, large data leaks were also spotted in 2024 at Tata Consultancy Services, which JLR uses for cyber security services. TCS declined to comment.

The August hack was “definitely not a spontaneous attack”, said Shaya Feedman, Deep Specter co-founder and former head of information security at Porsche’s digital unit.

“We believe [it was] state orchestrated,” he added, pointing to the length of the campaign, the financial resources committed and the level of infiltration, which shut down JLR’s production for a month. JLR only restarted production for the Range Rover and Range Rover Sport at its Solihull plant last week.

However, other cyber security experts say it is unclear if any previous leaks were linked to the August attack. 

JLR said it was investigating the attack but declined to comment further. “Our focus is on the safe recovery and restoration across our global operations,” it said. 

Shortly after the attack, a hacker calling himself “Rey” claimed he had broken into JLR’s systems. Cyber experts said they believe “Rey” was the same individual, previously linked to the hacker group Hellcat, who claimed to have hacked JLR in March and stolen confidential data.

Deep Specter said state-sponsored groups often try to hide their tracks by sharing access codes with others. Other cyber experts said hacker groups sometimes worked with or were backed by bigger criminal organisations.

A spate of recent cyber attacks on UK companies, including retailers Marks and Spencer, the Co-op and Harrods, has prompted chancellor Rachel Reeves to warn of the involvement of hostile states.

“A number of these attacks originate in Russia by Russian-backed entities,” she recently told ITV News.

The spate of hacks has also led to scrutiny of Tata Consultancy Services, which has provided services to recent victims including M&S, Co-op, Stellantis and Renault.

TCS has cleared itself in an internal probe and denied it was used as a gateway for criminals in the M&S attack.

Some cyber experts have suggested that TCS’s extensive market share in cyber security could explain its links to several of the companies that have been targeted.

Ciaran Martin, former chief executive of the NCSC, said the JLR hack in August was unusual because so few details of who did it and how have emerged so far.

“This attack would have been well planned and researched to work out what damage they could do and how they could inflict maximum pain on JLR,” said Martin, now a professor at Oxford university’s Blavatnik School of Government.

Feedman said the JLR hack could expose supply chain and other vulnerabilities across the sector, as Stellantis and Renault have also recently fallen victim to data theft.

At the time of the attack, JLR did not have cyber security insurance although it was in talks to buy a policy.

The company had warned in its 2024 annual report that: “Failure of critical infrastructure or applications could cause an outage across the JLR enterprise, hindering our ability to conduct essential business transactions or activities.”

Jamie MacColl, senior research fellow and cyber security expert at the Royal United Services Institute, said any organisation of JLR’s size would have cyber vulnerabilities, especially in manufacturing. “The question is how resilient they are when your system is actually compromised by a bad actor,” he added.

Additional reporting by Chris Kay in Mumbai