When a Phone Call Halted Car Production
On 31 August 2025, systems at Jaguar Land Rover began behaving strangely. A few days later, production came to a standstill. For five weeks, almost nothing ran at the plants in England, Slovakia and Brazil. No ransomware-encrypted robot or hijacked controller triggered it – rather, it was the failure of the IT on which the entire manufacturing operation depends. The case shows how an attack on office IT can paralyze an entire production and its supply chain.
Case in Brief
- What happened: A cyber attack on Jaguar Land Rover’s IT halted production at multiple sites for around five weeks from 1 September 2025.
- The damage: The Cyber Monitoring Centre estimates the cost to the British economy at around £1.9 billion, roughly €2.2 billion. JLR incurred losses of approximately £50 million per week.
- The lesson: The machines themselves were not attacked, but the IT without which they cannot run. Companies that fail to separate IT from production and do not prepare contingency operations risk a total shutdown.
The Background
Jaguar Land Rover is the largest car manufacturer in Britain and produces at several sites in England as well as plants in Slovakia and Brazil. As is typical in the automotive industry, production is tightly synchronized and relies on a continuous data chain. Orders, parts supply, logistics and the control of assembly lines run through IT systems that must be permanently available. If this chain fails at any point, the line stops.
estimated economic damage
around £1.9 billion
This very dependency makes manufacturers vulnerable. An attacker does not need to take over the programmable logic controllers of a production line to cause damage. It is enough to render the IT systems unusable, without which no order can be recorded and no part supplied. The attack on JLR is a textbook example of this vulnerability, because it did not target the production control systems but the administrative network, bringing manufacturing down from there.
The Timeline
Towards the end of August 2025, the first irregularities were noticed at a UK site. On 1 September, JLR stopped production as a precaution and sent a large part of the workforce home. Initially, it was described as a short interruption. However, the analysis of the incident and the clean rebuild of the systems dragged on.
On 23 September, the company extended the production stop into October. It was only around 22 October that individual manufacturing processes restarted, step by step and under control. Roughly five weeks passed between the initial standstill and the slow restart. During this time, one of the country’s most important industrial companies produced virtually nothing, with immediate consequences for hundreds of suppliers that depend on JLR orders.
How the Attackers Got In
According to consistent security analyses, the attack did not begin with a technical vulnerability but with deception. Reports describe a vishing campaign – phone calls in which the attackers posed as internal IT support and persuaded employees to hand over login credentials. With valid usernames and passwords, they then gained access to the network via the VPN connection.
Analyses also point to older credentials harvested via infostealer malware and the abuse of access tokens that allowed multi-factor authentication to be bypassed. Whether every detail is accurate cannot be conclusively confirmed from the outside. The pattern, however, is clear: no zero-day exploit, but valid identities, remote access, and the circumvention of weak second factors. A group calling itself Scattered Lapsus$ Hunters claimed responsibility for the attack.
The Response
JLR chose against a quick restart and in favor of a controlled rebuild. The systems were investigated, cleaned and gradually brought back online, rather than forcing production under uncertainty. This approach takes time but prevents attackers from remaining in the network or compromised systems causing further damage.
The impact of the outage extended beyond the company. Because hundreds of suppliers depend directly on JLR, the entire supply chain came under pressure. The UK government intervened and supported the suppliers to prevent insolvencies and lasting damage to the industrial base. A single IT incident thus became an economic policy issue.
The Lessons
The first lesson concerns identity. Entry was gained through social engineering and valid credentials, not through a software vulnerability. A help desk that performs resets and approvals without rigorous identity verification is an open door. Phishing-resistant methods such as FIDO2 and strict verification at the support desk significantly reduce this risk, because stolen passwords alone are then no longer sufficient.
The second lesson concerns the separation of IT and production. When an outage in the administrative network takes down manufacturing, segmentation is missing. Production-adjacent networks must be strictly separated from the office network, with defined transition points and a prepared contingency mode that allows the lines to continue operating for a limited time even without central IT. This capability determines whether an incident costs hours or weeks.
The third lesson concerns the supply chain. The JLR shutdown shows how strongly a single manufacturer supports an entire network of suppliers. This is precisely the point where NIS2, with its supply chain security requirements, comes in. Anyone who is part of such a chain must view their own resilience as a contribution to the resilience of the entire network, not merely as an internal matter.
Frequently Asked Questions
Each question is locked. Tapping unlocks the answer.
Was the production control system itself hacked at JLR?
According to what is known, no. The attack hit the IT systems on which manufacturing depends. Because without these systems no orders, parts supply or line control functions, production nevertheless came to a standstill.
How long did the standstill last?
Roughly five weeks. Production was halted at the beginning of September 2025 and only gradually restarted around 22 October.
How did the attackers get in?
According to the available analyses, through social engineering and valid credentials. Employees were deceived by phone, the captured access led into the network via the VPN connection, and weak second factors were bypassed. No zero-day exploit.
What was the economic damage?
The Cyber Monitoring Centre estimates the cost to the British economy at around £1.9 billion, approximately €2.2 billion. For JLR itself, losses amounted to roughly £50 million per week.
What is the most important lesson for other manufacturers?
Production and office IT must be separated. For emergencies, a prepared contingency mode is required. In addition, phishing-resistant login methods and a help desk with strict identity verification are essential, so that stolen passwords alone are no longer sufficient.
Editor’s Picks
Editor’s PickSüdwestfalen IT: The Lesson of Municipal ITEditor’s PickAdaptive MFA: NIS2 Pressure as a Zero-TrustEditor’s PickWhat Is NIS2? Definition, Obligations, and Liability
More from the MBF Media Network
cloudmagazinKRITIS in the Cloud: What Secures the MigrationMyBusinessFutureThe AI oversight in Germany now has an addressDigital ChiefsThe AI writes the code. Who is liable for it?





