Jaguar Land Rover (JLR) confirms some data was stolen in last month's cyberattack – all while factory workers are told to stay home for another week as the company struggles to restore operations.
With the restoration timeline still an unknown, the UK-based luxury automaker on Wednesday put out a fresh statement about the August 31st cyberattack to update a hungry supply chain and the public.
The attack, which forced JLR to "proactively shut down” its systems for nearly two weeks now, has incapacitated the high-end auto manufacturer’s retail arm, as well as operations at multiple production facilities.
“Since we became aware of the cyber incident, we have been working around the clock to restart our global applications in a controlled and safe manner,” JLM posted on its corporate website.
Now it's been reported that JLR staff, who were to report back to work on Wednesday, have been told to stay home again, with disruptions moving into a third week.
Production was paused last week at factories in the English cities of Halewood, Solihull, and its engine manufacturing site in Wolverhampton (featured image) , reported the Independent.
Apparently, the tens of thousands of furloughed staff were told to be on standby in case circumstances change, the outlet said.
JLR has apologized for “the continued disruption” and said it will “continue to update as the investigation progresses.”
Data confirmed stolen
Besides operational woes, the company has now admitted that the hackers responsible for the breach made away with some of its data, a turnaround from previous statements made by the company in the days right after the attack that no data had been accessed.
“As a result of our ongoing investigation, we now believe that some data has been affected,” Jaguar Land Rover said in the September 10th statement.
JLR did not say what type of data was accessed, how much may have been exfiltrated, or whether any of its over 30,000 employees may be affected. However, JLR reiterated that its forensic investigation “continues at pace,” promising to “contact anyone as appropriate if we find that their data has been impacted.
With over 400,000 customers worldwide, the company recorded an annual revenue of £29 billion, according to Jaguar’s 2024 annual report.
Dr. Darren Williams, Founder and CEO of BlackFog, a ransomware prevention firm, says the confirmation of corpomised data "should be no surprise."
Williams says that “While JLR is still working hard to restore its systems, it has yet to confirm the nature of data impacted in the attack,” and that “customers should be vigilant.”
"Stolen data not only carries a value on the dark web but can also be used in identity theft and targeted attacks,” Williams explains.
This isn’t the first time Jaguar Land Rover has had to deal with hackers. In March, a threat actor called “fedboy” claimed he had stolen 700 internal company documents containing employee details like usernames, email addresses, display names, and operational time zones.
The hackers responsible
Owned by India's Tata Motors, the cyberattack is thought to be the handiwork of a newly formed trio of notorious hacking groups, rebranded under the moniker “scattered LAPSUS$ hunters.”
Since its alleged attack on the automaker, the cybercriminal triad has also taken to boasting about its exploits on a newly created Telegram channel, taunting not only JLR but the FBI, Google, the UK National Crime Agency, and threatening more attacks on other critical targets
The group has referenced the Jaguar Land Rover hack multiple times on the channel, but without concrete proof, Cybernews researchers say it could all be just one big publicity stunt.
The Scattered Spider ransomware group is most widely known for hitting Britain’s retail sector this spring, including Marks & Spencer, Harrods, and Co-op, which in July admitted that the data of 6.5 million members was stolen.
Williams points out that for Scattered Spider, “data exfiltration is a significant part of its previous attacks…getting their hands on large volumes of customer information.”
Meanwhile, the Shiny Hunters gang (UNC6240) is believed to be the instigators behind the recent Salesloft Drift/Salesforce hacking campaign impacting over 700 companies worldwide, a bulk of them in mid-August.
First identified by Google threat researchers in June, the campaign most recently impacted several cybersecurity heavyweights, including Palo Alto Networks, Cloudflare, and Zscaler.
“Data exfiltration is now the primary MO of these ransomware gangs,” Williams warns, adding that “organizations must concentrate their defences on stopping intruders from accessing and stealing their mission-critical information.”
Coincidentally, Bridgestone Americas also suffered a major cyberattack on the same Sunday as Jaguar Land Rover. The unclaimed attack, likewise, forced the Japanese-owned tire manufacturer to proactively shut down business operations.
“Although some plants were impacted, we have been methodically returning them back to full operation without incident and expect this to be completed over the next few days,” a Bridgestone spokesperson told CyberSecurity Dive on Monday.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked