Jaguar Land Rover cyber attack was costliest in British history, and the pain isn’t over

Jaguar Land Rover has become the victim of the costliest cyber attack in British history: that’s the verdict of cybersecurity experts, with some estimating further impact could be felt down the line.

Analysts from the Cyber Monitoring Centre (CMC), a non-profit organisation specialising in the monitoring and evaluation of cyber events across the globe, estimates the ransomware attack on JLR is likely to have cost anything between £1.6 and £2.1billion, with £1.9billion being the most likely figure.

With estimates suggesting that JLR was losing as much as £50million per week during the shutdown, the CMC has rated the attack as a “Category 3” systemic event on its scale of severity (one being low risk and five being catastrophic). The costly nature of the incident makes it the biggest financial impact of its kind in British history – even more so than the recent hacks of M&S and the Co-op.

It’s perhaps no surprise with the lack of production throughout September that JLR posted some rather grim wholesale and retail figures for the second quarter of the 2026 financial year (July 1 to September 30). Wholesales were down by almost a quarter, with retail output suffering a 17.1 per cent dip.

This comes after a tough start to the year amidst trade tariffs imposed by US President Donald Trump. In a statement, CEO Adrian Mardell described the past few months as “a challenging quarter for JLR”.

“From the start of September, we have been responding to a cyber incident, which shut down our production,” Mardell said. “Since then, we have worked with retailers to prioritise the delivery of our world-class vehicles to our clients.”

But Dr Ilia Kolochenko, a fellow at the British Computer Society, warned: “The estimated £2billion loss may be just a small fraction of the total financial loss, merely representing already incurred and now-foreseeable losses that can be quantified.

“For instance, possible theft of valuable JLR’s trade secrets and their subsequent exploitation by rival corporations in hostile nations states may cause significantly more losses in the long-term perspective.”

While half of the financial impact is expected to have been taken by JLR itself, it’s the firm’s supply chain of smaller businesses that are thought to have borne the brunt of the other billion pounds or so of losses.

With fears that businesses could go bust and needing materials to restart production, the Government offered a £1.5billion loan to help the situation. However, JLR launched a cash-up-front scheme for its suppliers in early October instead, with help from what was described as an independent “banking partner”.

Now that production has restarted, if you’re considering buying one of JLR’s models, our Buy a Car service has plenty of great Land Rover deals available, we also have a wide selection of used Land Rover models.

JLR cyber attack timeline

On 2 September, JLR confirmed that it was the victim of what it described as a “cyber incident” that occurred on 31 August. In order to mitigate the infiltration, the firm’s IT team immediately shut down its array of online systems, so the various production lines that rely on this type of technology came to a halt.

From the day following the attack, JLR asked more than 30,000 of its factory employees to remain at home. Since then, production across the firm’s sites in Halewood, Solihull, Wolverhampton and abroad has remained at a standstill while the company works with “third‑party cybersecurity specialists and alongside law enforcement” in order to get things back online safely.

The brand began an in-depth investigation into the incident, with a spokesperson saying on 10 September: “Since we became aware of the cyber incident, we have been working around the clock, alongside third-party cybersecurity specialists, to restart our global applications in a controlled and safe manner. 

“As a result of our ongoing investigation, we now believe that some data has been affected and we are informing the relevant regulators. Our forensic investigation continues at pace and we will contact anyone as appropriate if we find that their data has been impacted.” 

It has yet to be confirmed what data this is. 

After six weeks of inactivity in JLR’s factories, production began what was described as a “phased restart” on Wednesday 8 October, beginning in Solihull, Castle Bromwich and Halewood, and then a few days later in plants abroad.

Lessons to be learned

Senior manager of security operations at cybersecurity firm Huntress, Dray Agha, said the incident “highlights the critical vulnerability of modern manufacturing, where a single IT system attack can halt a multi-billion-pound physical production line”. 

“[Brands] must implement and rigorously test 'segmentation',” Agha continued. “[This] means creating digital firewalls between critical production networks and other business IT systems.” Doing so “contains an attack and prevents a single point of failure from bringing the entire operation to a standstill”.

Our dealer network has 1,000s of great value new cars in stock and available now right across the UK. Find your new car…