{"id":20942,"date":"2026-07-07T06:00:00","date_gmt":"2026-07-07T06:00:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/?p=20942"},"modified":"2026-07-09T16:04:31","modified_gmt":"2026-07-09T16:04:31","slug":"if-a-phone-call-stops-car-production","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/07\/07\/if-a-phone-call-stops-car-production\/","title":{"rendered":"When a Phone Call Halted Car Production"},"content":{"rendered":"<p><strong>On 31 August 2025, systems at Jaguar Land Rover began behaving strangely. A few days later, production came to a standstill. For five weeks, almost nothing ran at the plants in England, Slovakia and Brazil. No ransomware-encrypted robot or hijacked controller triggered it &#8211; rather, it was the failure of the IT on which the entire manufacturing operation depends. The case shows how an attack on office IT can paralyze an entire production and its supply chain.<\/strong><\/p>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px 0;font-size:0.95em;font-weight:800;text-transform:uppercase;letter-spacing:0.2em;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">Case in Brief<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.6;\">\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">What happened:<\/strong> A cyber attack on Jaguar Land Rover\u2019s IT halted production at multiple sites for around five weeks from 1 September 2025.<\/li>\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">The damage:<\/strong> The Cyber Monitoring Centre estimates the cost to the British economy at around \u00a31.9 billion, roughly \u20ac2.2 billion. JLR incurred losses of approximately \u00a350 million per week.<\/li>\n<li style=\"margin-bottom:0;\"><strong style=\"color:#69d8ed;\">The lesson:<\/strong> The machines themselves were not attacked, but the IT without which they cannot run. Companies that fail to separate IT from production and do not prepare contingency operations risk a total shutdown.<\/li>\n<\/ul>\n<\/div>\n<h2>The Background<\/h2>\n<p>Jaguar Land Rover is the largest car manufacturer in Britain and produces at several sites in England as well as plants in Slovakia and Brazil. As is typical in the automotive industry, production is tightly synchronized and relies on a continuous data chain. Orders, parts supply, logistics and the control of assembly lines run through IT systems that must be permanently available. If this chain fails at any point, the line stops.<\/p>\n<div data-element=\"key_number\" style=\"background:#003340;border:1px solid rgba(105,216,237,0.28);border-radius:10px;padding:28px 24px;margin:32px 0;text-align:center;\">\n<div style=\"font-size:2.0em;font-weight:800;color:#69d8ed;line-height:1.05;word-break:keep-all;\">\u20ac2.2 bn<\/div>\n<p style=\"margin:10px 0 0;font-size:0.92em;color:#e6e3da;\">estimated economic damage<\/p>\n<p style=\"margin:6px 0 0;font-size:0.78em;color:#8fa3ab;\">around \u00a31.9 billion<\/p>\n<\/div>\n<p>This very dependency makes manufacturers vulnerable. An attacker does not need to take over the programmable logic controllers of a production line to cause damage. It is enough to render the IT systems unusable, without which no order can be recorded and no part supplied. The attack on JLR is a textbook example of this vulnerability, because it did not target the production control systems but the administrative network, bringing manufacturing down from there.<\/p>\n<h2>The Timeline<\/h2>\n<p>Towards the end of August 2025, the first irregularities were noticed at a UK site. On 1 September, JLR stopped production as a precaution and sent a large part of the workforce home. Initially, it was described as a short interruption. However, the analysis of the incident and the clean rebuild of the systems dragged on.<\/p>\n<div data-element=\"timeline\" style=\"margin:32px 0;\">\n<div style=\"display:flex;gap:16px;margin:0 0 14px;\">\n<div style=\"flex:0 0 auto;min-width:104px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.78em;color:#69d8ed;padding-top:2px;\">31.08.2025<\/div>\n<div style=\"color:#e6e3da;line-height:1.55;\">First irregularities detected in the systems<\/div>\n<\/div>\n<div style=\"display:flex;gap:16px;margin:0 0 14px;\">\n<div style=\"flex:0 0 auto;min-width:104px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.78em;color:#69d8ed;padding-top:2px;\">01.09.2025<\/div>\n<div style=\"color:#e6e3da;line-height:1.55;\">Production halted<\/div>\n<\/div>\n<div style=\"display:flex;gap:16px;margin:0 0 14px;\">\n<div style=\"flex:0 0 auto;min-width:104px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.78em;color:#69d8ed;padding-top:2px;\">23.09.2025<\/div>\n<div style=\"color:#e6e3da;line-height:1.55;\">Production stop extended into October<\/div>\n<\/div>\n<div style=\"display:flex;gap:16px;margin:0 0 14px;\">\n<div style=\"flex:0 0 auto;min-width:104px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.78em;color:#69d8ed;padding-top:2px;\">22.10.2025<\/div>\n<div style=\"color:#e6e3da;line-height:1.55;\">Gradual restart of manufacturing<\/div>\n<\/div>\n<\/div>\n<p>On 23 September, the company extended the production stop into October. It was only around 22 October that individual manufacturing processes restarted, step by step and under control. Roughly five weeks passed between the initial standstill and the slow restart. During this time, one of the country\u2019s most important industrial companies produced virtually nothing, with immediate consequences for hundreds of suppliers that depend on JLR orders.<\/p>\n<h2>How the Attackers Got In<\/h2>\n<p>According to consistent security analyses, the attack did not begin with a technical vulnerability but with deception. Reports describe a vishing campaign &#8211; phone calls in which the attackers posed as internal IT support and persuaded employees to hand over login credentials. With valid usernames and passwords, they then gained access to the network via the VPN connection.<\/p>\n<p>Analyses also point to older credentials harvested via infostealer malware and the abuse of access tokens that allowed multi-factor authentication to be bypassed. Whether every detail is accurate cannot be conclusively confirmed from the outside. The pattern, however, is clear: no zero-day exploit, but valid identities, remote access, and the circumvention of weak second factors. A group calling itself Scattered Lapsus$ Hunters claimed responsibility for the attack.<\/p>\n<h2>The Response<\/h2>\n<p>JLR chose against a quick restart and in favor of a controlled rebuild. The systems were investigated, cleaned and gradually brought back online, rather than forcing production under uncertainty. This approach takes time but prevents attackers from remaining in the network or compromised systems causing further damage.<\/p>\n<p>The impact of the outage extended beyond the company. Because hundreds of suppliers depend directly on JLR, the entire supply chain came under pressure. The UK government intervened and supported the suppliers to prevent insolvencies and lasting damage to the industrial base. A single IT incident thus became an economic policy issue.<\/p>\n<h2>The Lessons<\/h2>\n<p>The first lesson concerns identity. Entry was gained through social engineering and valid credentials, not through a software vulnerability. A help desk that performs resets and approvals without rigorous identity verification is an open door. Phishing-resistant methods such as FIDO2 and strict verification at the support desk significantly reduce this risk, because stolen passwords alone are then no longer sufficient.<\/p>\n<p>The second lesson concerns the separation of IT and production. When an outage in the administrative network takes down manufacturing, segmentation is missing. Production-adjacent networks must be strictly separated from the office network, with defined transition points and a prepared contingency mode that allows the lines to continue operating for a limited time even without central IT. This capability determines whether an incident costs hours or weeks.<\/p>\n<p>The third lesson concerns the supply chain. The JLR shutdown shows how strongly a single manufacturer supports an entire network of suppliers. This is precisely the point where NIS2, with its supply chain security requirements, comes in. Anyone who is part of such a chain must view their own resilience as a contribution to the resilience of the entire network, not merely as an internal matter.<\/p>\n<h2 style=\"padding-top:64px;margin-bottom:20px;\">Frequently Asked Questions<\/h2>\n<p class=\"st-faq-hint\">Each question is locked. Tapping unlocks the answer.<\/p>\n<details>\n<summary><strong>Was the production control system itself hacked at JLR?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">According to what is known, no. The attack hit the IT systems on which manufacturing depends. Because without these systems no orders, parts supply or line control functions, production nevertheless came to a standstill.<\/p>\n<\/details>\n<details>\n<summary><strong>How long did the standstill last?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Roughly five weeks. Production was halted at the beginning of September 2025 and only gradually restarted around 22 October.<\/p>\n<\/details>\n<details>\n<summary><strong>How did the attackers get in?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">According to the available analyses, through social engineering and valid credentials. Employees were deceived by phone, the captured access led into the network via the VPN connection, and weak second factors were bypassed. No zero-day exploit.<\/p>\n<\/details>\n<details>\n<summary><strong>What was the economic damage?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">The Cyber Monitoring Centre estimates the cost to the British economy at around \u00a31.9 billion, approximately \u20ac2.2 billion. For JLR itself, losses amounted to roughly \u00a350 million per week.<\/p>\n<\/details>\n<details>\n<summary><strong>What is the most important lesson for other manufacturers?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Production and office IT must be separated. For emergencies, a prepared contingency mode is required. In addition, phishing-resistant login methods and a help desk with strict identity verification are essential, so that stolen passwords alone are no longer sufficient.<\/p>\n<\/details>\n<p>\n<!--ST-LOWER-CARDS lang=en--><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">Editor&#8217;s Picks<\/h3>\n<p><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/05\/south-westphalia-it-the-lesson-of-municipal-it\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/suedwestfalen-it-akira-post-mortem-kommunale-it-sicherheit-cover-hero-1-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">S\u00fcdwestfalen IT: The Lesson of Municipal IT<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/05\/07\/adaptive-mfa-nis2-pressure-as-a-zero-trust\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/05\/adaptive-mfa-nis2-bsi-zero-trust-mittelstand-fido2-2026-hero-250x167.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Adaptive MFA: NIS2 Pressure as a Zero-Trust<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/05\/what-is-nis2-definition-obligations-and-liability\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/was-ist-nis2-cover-hero-1-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">What Is NIS2? Definition, Obligations, and Liability<\/span><\/span><\/a><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">More from the MBF Media Network<\/h3>\n<p><a href=\"https:\/\/www.cloudmagazin.com\/en\/2026\/06\/29\/kritis-in-the-cloud-what-secures-the-migration\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-kritis-cloud-migration-c5-nis2-dachgeset-70478771.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#0bb7fd;margin-bottom:5px;\">cloudmagazin<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">KRITIS in the Cloud: What Secures the Migration<\/span><\/span><\/a><a href=\"https:\/\/mybusinessfuture.com\/en\/the-ai-oversight-in-germany-now-has-an-address\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-die-ki-aufsicht-in-deutschland-hat-jetzt-91048899-250x141.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#aa8ac2;margin-bottom:5px;\">MyBusinessFuture<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">The AI oversight in Germany now has an address<\/span><\/span><\/a><a href=\"https:\/\/www.digital-chiefs.de\/en\/the-ai-writes-the-code-who-is-liable-for-it\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-ki-generierter-code-haftung-governance-r-68881977-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#e8828d;margin-bottom:5px;\">Digital Chiefs<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">The AI writes the code. Who is liable for it?<\/span><\/span><\/a><!--\/ST-LOWER-CARDS--><\/p>\n","protected":false},"excerpt":{"rendered":"On 31 August 2025, systems at Jaguar Land Rover began behaving strangely. A few days later, production came to a standstill. For five weeks, almost nothing ran at the plants in England, Slovakia and Brazil. No ransomware-encrypted robot or hijacked controller triggered it &#8211; rather, it was the failure of the IT on which the [&hellip;]","protected":false},"author":10,"featured_media":20761,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"Jaguar Land Rover cyberattack","_yoast_wpseo_title":"If a Phone Call Stops Car Production","_yoast_wpseo_metadesc":"Jaguar Land Rover's 2025 cyberattack halted production for five weeks. Discover how hackers breached their systems and key lessons for manufacturers.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":0,"evm_cvss":0,"evm_risk":0,"evm_casefile":"","evm_primary_cve":"","_evm_translation_lang":"","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":[],"footnotes":""},"categories":[5],"tags":[],"class_list":["post-20942","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-case-studies"],"evm_reading_time_minutes":7,"wpml_language":"en","wpml_translation_of":20760,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20942","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=20942"}],"version-history":[{"count":2,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20942\/revisions"}],"predecessor-version":[{"id":20978,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20942\/revisions\/20978"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/20761"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=20942"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=20942"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=20942"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}