JLR halts production after cyber attack exposes supply chain risks

Jaguar Land Rover (JLR) has sent hundreds of factory workers home following a significant cyber attack, in what analysts are calling a stark reminder of the automotive sector's increasing vulnerability to cyber threats. Production at several plants was brought to a standstill, underscoring the dependent and complex nature of modern car manufacturing supply chains.

According to JLR, operations were disrupted when critical IT systems failed, interrupting the finely-tuned process by which thousands of components and finished vehicles move through the assembly line daily. With operations relying on seamless logistics and communication between suppliers, even a short outage can trigger major knock-on effects throughout the network.

Industry experts have warned that incidents such as these highlight significant blind spots in the way companies currently monitor and manage cyber risk across their supplier base. Scott Lehmann, Vice President of Product Management at Sphera, an operational risk software company, explained that the crisis demonstrates the need for deeper visibility into supplier networks.

"The JLR cyber incident highlights how fragile automotive supply chains can be when visibility stops at the Tier-1 level. Modern car production depends on thousands of components flowing through tightly sequenced schedules. When just one IT system or supplier link goes down, production across multiple plants can stall within hours," said Lehmann.

He referenced Sphera's recent research, which in August alone tracked 122 cybersecurity alerts across global supply chains, most of which aimed to cause operational paralysis rather than data theft. These attacks incapacitated logistics systems, factory networks, and service providers. Lehmann emphasised that these are the sorts of hidden dependencies that many manufacturers fail to notice until a crisis strikes.

"Building resilience requires going beyond transactional supplier lists. The leaders in the sector are already investing in multi-tier supplier mapping and live dependency tracking, so they know, at any given moment, where risks are forming and which suppliers need immediate attention. That shift, from reactive problem-solving to proactive collaboration, is the only way to stay ahead of the escalating cyber threat landscape," he added.

Fresh information suggests the JLR breach may have involved a compromise of Salesforce, the widely-used customer relationship management platform. Andrew Martin, Founder and CEO of cybersecurity firm DynaRisk, pointed to a possible link with infostealer malware targeting Salesforce employee accounts. "Our threat intelligence suggests a possible Salesforce compromise could be at play. A Salesforce employee account was recently breached via infostealer malware, and Tata Motors (JLR's parent company) appears to use Salesforce. This aligns with a surge of Salesforce-targeted attacks in recent months, including claims from hackers in March 2025 that they accessed 700 JLR internal documents," Martin said.

Martin noted the pattern fits a broader string of high-profile attacks targeting global brands, with a suspected connection to the Scattered Spider hacking group. While DynaRisk has not confirmed Scattered Spider's involvement, they believe the method aligns with recent breaches affecting companies like Adidas, Cartier, Google, and Louis Vuitton.

In response to the rising threat, Martin recommended Salesforce users take several precautionary steps: "Assume compromise until proven otherwise, change all passwords immediately, review and tighten incident response processes, audit integrations and connected apps, removing any unnecessary access, and check logs and monitor for anomalies."

"The JLR case underlines a growing trend that Salesforce environments are becoming prime targets, and we expect more major brands to be named in the weeks ahead," Martin warned.

Cybersecurity professionals agree the automotive sector must begin treating supply chain cybersecurity as a non-negotiable operational priority, not merely a technical afterthought. As high-profile attacks increase in frequency and sophistication, companies with global footprints and complex supply chains may need to fundamentally rethink how they map, monitor, and secure every digital link in the production chain.