Jaguar Land Rover (JLR) has instructed factory workers to stay home until early next week as it continues to grapple with the ramifications of the cyber attack suffered this week.
The breach, which occurred on Sunday, forced the manufacturer to shut down its vital IT systems to protect itself from hackers behind what it dubbed a ‘cyber incident’.
The impact, which is believed to be global, has dramatically affected UK production lines, with factory workers at its vehicle plants in Halewood, Merseyside, and Solihull in the West Midlands – as well as its engine factory in Wolverhampton – told not to come in until Tuesday at the very earliest, the BBC reports.
The situation is said to ‘remain under review’ with the company ‘working at pace’ to resolve the issue, though vehicle output could remain suspended well into next week.
JLR dealers have also been locked out of online systems. However, they have been able to register new models, though via a more arduous process.
It comes at a salient period of the calendar year, with the new ’75’ plate launched this month, which typically attracts more showroom visits and model sales than at any time of the year.
Thousands of existing owners are also believed to be affected, with garages unable to provide repairs as the IT shutdown has an impact on JLR’s parts supply chain.
A notice sent to Halewood workers on 4 September stated: ‘Friday September 5 and Monday September 8: the leadership team has agreed that production associates will be stood down and will have hours banked in line with the corridor agreement.
‘All colleagues are required to attend work as normal on Tuesday September 9 unless informed otherwise.’
On Wednesday, the hacker group also responsible for the highly damaging attack on Marks and Spencer earlier in the year, confirmed it was responsible for infiltrating JLR’s systems.
The group of young English-speaking hackers – who are thought to be teens calling themselves ‘Scattered Lapsus$ Hunters’ – told the BBC how they allegedly accessed the car maker.
However, they are yet to confirm if they have successfully stolen private data from JLR or installed malicious software onto the company’s network.
The car maker has said that, at this stage, there is ‘no evidence any customer data has been stolen’ but acknowledged that its ‘retail and production activities have been severely disrupted’ as a result.
The hacking group posted two images this week showing apparent internal instructions for troubleshooting a car charging issue and internal computer logs.
Security experts say these images suggest the group had access to information they should not have.
In its latest statement issued to the Daily Mail, a spokesperson for the car maker said: ‘JLR has been impacted by a cyber incident. We took immediate action to mitigate its impact by proactively shutting down our systems.
‘We are now working at pace to restart our global applications in a controlled manner.’
Despite facing ongoing problems, JLR’s UK showrooms remain open.
However, dealers are unable to order parts and in some instances haven’t been able to complete customer handovers.
In response to parts supply disruptions for customers expecting vehicle repairs, the manufacturer told us: ‘We are aware of the claims relating to the recent cyber incident and we are continuing to actively investigate.
‘Retailers are continuing to carry out repair work using locally held stock and we are supporting our retailers with access to our diagnostic systems to allow the, to continue work on client vehicles while are systems are not accessible.
‘Our roadside assistance service is operating with our dedicated fleet of branded vehicles, actively supporting clients in need – whether they’ve experienced a breakdown or require roadside assistance.’
It is now said to be working to reboot and restore the systems in a controlled manner, but this is understood to be a ‘highly complex process’.
In the meantime, it is attempting to setup offline systems for the business to use.
Despite the ongoing issues, around 6,000 JLR models have been registered this week, according to reports.
However, retailers are being forced to register each model manually, which involves phoning the DVLA to provide all the necessary information for each vehicle purchased.
This comes at a time when showrooms are at their busiest, with buyers traditionally more likely to purchase new models during the months when the latest number plate age identifier in launched, which also occurs in March.
The company, which is owned by India’s Tata Motors, shut down its systems late Sunday night in order to limit potential damage from the cyber attack and has yet to come back online.
JLR’s ability to react so quickly to the breach is partly thanks to its IT service provider also being a subsidiary of its parent group.
TCS – Tata Consultancy Services – is responsible for the car maker’s IT and cybersecurity systems, having extended its partnership in 2023 to ‘accelerate digital transformation across its business’.
Commenting on the cyber incident, Dray Agha, senior manager of security operations at security specialist Huntress, said: ‘This incident highlights the critical vulnerability of modern manufacturing, where a single IT system attack can halt a multi-billion-pound physical production line, directly impacting sales, especially during a key period like a new registration month.
‘Cybercriminals know this, and many leverage the stopped clock of business functions as the leverage they need to force capitulation of ransomware demands.’
Agha added: ‘While the quick shutdown of systems was a textbook damage limitation tactic that likely prevented a data breach, it underscores the immense recovery challenge companies now face in safely rebooting complex, interconnected operations after an attack.
‘Containment and recovery are crucial parts of responding to an incident, and many organisations still do not have the detection and response technologies to neutralise security intrusions.’
Jake Moore, global cybersecurity advisor at antivirus and internet security provider ESET, also commented: ‘Striking at a time when more than usual customers are likely to see potential delays with their new vehicle registrations and/or deliveries will have been a tactful decision made by the attackers to deliver their message loudest.
‘Even though there is no evidence to suggest customer data has been compromised so far, any cyberattack on a company of this size is a reminder to secure all accounts by enabling multi-factor authentication, using unique passwords and where possible, remain on guard for suspicious messages.’
