By Ziv Chang
Early this September, Jaguar Land Rover (JLR) confirmed that it had been hit by a cyber incident that forced factory shutdowns and continues to disrupt operations across its production network.
The incident serves as a stark reminder of the fragility of today’s automotive supply chains. Modern automotive manufacturers (OEMs) rely heavily on software-driven operations and globally distributed suppliers. This means that a single weak spot – whether in IT systems, suppliers, or third-party tools – can quickly ripple outward. The result: factory shutdowns, financial losses, and long delays in restarting production.
In this blog, we’ll outline what’s currently known about the incident, compare it with other notable supply chain attacks in both the IT and automotive industries, and recommend practical steps carmakers can take to reduce cyber risks across their supplier networks.
Timeline of the JLR cyber incident
Here’s how the cyber incident has unfolded so far:
- August 31, 2025 – JLR halts production at several factories after detecting a cyber incident.
- September 2, 2025 – The automaker confirms the attack, shuts down global IT systems, and disrupts both manufacturing and retail operations. The timing coincides with the UK’s “New Plate Day,” a key date for new car registrations.
- September 10, 2025 – It acknowledges that some data may have been affected. Production remains down.
- September 15–20, 2025 – Reports highlight wider supply chain disruption. UK officials consider possible interventions as the shutdown continues.
- September 23–25, 2025 – JLR announces that production remains suspended until at least October 1. Although no insurance payout has been confirmed, the automaker reportedly paid £300 million to suppliers to help keep them afloat.
- September 25, 2025 – The automaker announces a phased restart of its operations.
Analysts suggest the issue may have stemmed from a Tata Consultancy Services (TCS)-led SAP upgrade that created a single point of failure. Others suspect familiar attack paths, such as spear-phishing or stolen credentials, spreading through JLR’s “smart factory” systems. Since no ransom demand has surfaced, many believe the motive is data theft rather than extortion.
Lessons from past supply chain cyberattacks
While the investigation into the JLR incident is ongoing, it is clear that such attacks are not unique, nor are they confined to the automotive sector. Supply chain cyberattacks have long been a favored tactic, with attackers often exploiting trusted vendors or software providers as stepping stones into larger organizations. Some of the most notable examples include:
- Target (2013) – Hackers stole credentials from an HVAC vendor to access Target’s network, installing malware that captured 40 million credit card numbers.
Attack Path: Vendor phishing → Network pivot → Malware deployment - SolarWinds (2020) – Hackers compromised Orion software updates, affecting 18,000 customers, including U.S. government agencies.
Attack Path: Vendor compromise → Tainted update → Widespread infiltration - Kaseya (2021) – The REvil gang exploited a zero-day in Kaseya’s IT tool, pushing ransomware to thousands of downstream customers.
Attack Path: Zero-day exploit → Malicious update → Mass ransomware spread - MOVEit (2023) – The Clop gang exploited a zero-day in MOVEit Transfer software, hitting over 620 organizations with data theft and ransom demands.
Attack Path: Third-party vuln → Direct exploit → Data exfiltration
The auto industry is not immune
The automotive industry has also faced several high-profile supply chain–related cyberattacks in recent years:
| Year | Company type | What happened |
|---|---|---|
| 2021 (February) | Car manufacturer | Suspected ransomware disrupted disrupted internal and customer systems. |
| 2022 (February to March) | Parts supplier for a car manufacturer | A cyberattack forced a car manufacturer to suspend production at multiple plants in Japan. |
| 2022 (June) | Fabric supplier for a car manufacturer | LockBit ransomware leaked stolen files. |
| 2024 (June) | Car dealership software provider | Ransomware shut down systems for thousands of dealerships. |
| 2025 (September) | Car manufacturer | A data breach via a third-party platform exposed customer contact information. |
Table 1. Recent supply chain-related cyberattacks in the automotive industry
These cases underscore that even the world’s largest automakers and suppliers are exposed when a single weak link in the chain is targeted.
Securing the automotive supply chain
Supply chain attacks exploit the interconnectedness of modern manufacturing and software ecosystems. Automakers depend on various third-party tools, open-source libraries, and cloud services – each of which can become an entry point for attackers.
To defend against these risks, car OEMs and their suppliers need both technical safeguards and organizational readiness – a holistic approach to automotive cybersecurity that extends across the supply chain.
| Category | Measure | What to do |
|---|---|---|
| Core Technical / Process Controls | Secure build pipelines (SLSA) | Enforce provenance, least privilege, and isolated environments. |
| Dependency and package management | Lock versions, use checksums, and audit third-party code. | |
| Artifact signing and SBOMs | Require code signing, maintain/share SBOMs. | |
| Credential and cloud access protection | Use secret managers, short-lived tokens, and monitor high-priv accounts. | |
| Monitoring, Detection, Governance | Third-party risk management | Assess suppliers, add security clauses, run audits. |
| Automated scanning and SCA | Integrate into CI/CD, detect malicious code. | |
| Threat hunting and detection | Expand SIEM/EDR rules, align with MITRE ATT&CK. | |
| Development & Operations | Least privilege and segmentation | Restrict permissions, isolate environments. |
| Incident response and supplier coordination | Pre-agree workflows, plan rollback, and patching. | |
| Verification of AI models and datasets | Validate integrity, sandbox-test before use. | |
| Policy & Awareness | Executive governance | Add supply chain risks to enterprise risk planning. |
| SBOM transparency | Keep SBOMs up to date, share with trusted partners. |
Table 2. Recommended mitigations for securing the automotive supply chain
A wake-up call for automotive supply chains
The JLR cyber incident shows how a single disruption in today’s interconnected supply chains can paralyze even the largest automakers. Whether triggered by a system upgrade gone wrong or a classic phishing exploit, it underscores how vulnerable “smart factories” and global supplier networks can be.
The lesson is clear: supply chain security must be treated as a core business issue, not merely an IT concern. Carmakers and suppliers alike should adopt a layered defense approach, encompassing secure build pipelines, strong dependency and credential management, continuous monitoring, and clear incident response coordination with partners. Executive-level governance is also critical. And as AI becomes more deeply embedded in the supply chain, validating its integrity will be just as important.
For the automotive industry, the JLR cyber incident is more than an isolated event – it is a wake-up call. Supply chain resilience will define future competitiveness, and the time to act is now.
