Here’s Why an Expert Says the JLR Cyberattack Is Taking So Long to Resolve

      **JLR**

      **The latest in automotive news and reviews, straightforward and clear**

      **Subscribe to our free daily newsletter for the crucial stories delivered straight to you every weekday.**

      Jaguar Land Rover (JLR) has been grappling with the aftermath of a cyberattack for nearly a month. This significant issue has halted production and disrupted operations not only for the automaker but also for its numerous suppliers and distributors. You might think a well-established company like JLR would not be so severely affected by a tech-related issue, but the interconnected nature of the automotive industry makes manufacturers particularly vulnerable to such disruptions.

      As reported by The Guardian earlier this month, “Managers at a factory in Halewood, Merseyside, indicated to industry contacts that a hack may have occurred—though it was unclear at that time how severe the situation was.” Shortly thereafter, it became apparent that the incident was serious enough to essentially halt all operations.

      In early September, reports began to emerge about a cyberattack on JLR. Notorious hacker groups Scattered Spider and LAPSUS$, collaborating under the name Scattered Spider Lapsus$ Hunters, claimed responsibility for the breach, providing screenshots of the automaker’s backend interface as proof of their access.

      Cyfirma has conducted a detailed analysis of the possible technical exploitation involved. They reported, “The exposed code indicates flaws in the authentication logic, which might include vulnerabilities related to how user profiles interface with vehicles. This could allow for reverse engineering or exploitation of connected services, especially if there are weaknesses in token management or validation processes.”

      JLR’s Halewood factory. Richard Martin-Roberts/Getty Images

      It remains unclear, and it is unlikely JLR will disclose, the extent of the disruptions directly linked to the attack versus those resulting from a precautionary shutdown aimed at containing the unauthorized access. There's also some uncertainty regarding the motive behind the hacking, as numerous impostors have falsely claimed responsibility in the wake of the incident. We haven't seen any specific ransom demands made public, nor has JLR provided any such details.

      However, reports indicate that the downtime at Land Rover factories (with no cars being produced at Jaguar currently) has cost the company approximately £50 million ($67 million) each week, according to the BBC. Last week, the UK government’s Department for Business and Trade acknowledged that the “recent cyber incident has significantly impacted Jaguar Land Rover (JLR) and the broader automotive supply chain.” Discussions have arisen about the government potentially assisting by purchasing supply parts temporarily. It appears that factories will remain idle for at least a few more days, though the company asserts it is now making progress toward recovery.

      A JLR spokesperson provided the following official statement in response to my queries:

      “As we carefully and gradually restart our operations, we have informed colleagues, suppliers, and retail partners that sections of our digital infrastructure are operational again. The foundational stages of our recovery plan are actively underway.

      We have greatly enhanced our IT processing capabilities for invoicing. Work is underway to quickly address the backlog of payments to our suppliers.

      Our Global Parts Logistics Centre, which provides parts to distribution centers for our retail partners in the UK and globally, is now returning to full operation. This will facilitate our retail partners in servicing customer vehicles and maintaining client mobility.

      Our financial system for processing vehicle sales is back online, allowing us to expedite vehicle sales and registrations for our clients, generating important cash flow.

      These are crucial initial steps as our dedicated teams work continuously, in collaboration with cybersecurity experts, the UK Government’s NCSC, and law enforcement, to ensure a safe and secure restart. Our primary focus remains on supporting our customers, suppliers, colleagues, and retailers. We fully recognize this is a challenging time for everyone connected with JLR, and we appreciate the ongoing support and patience of all involved.”

      Christopher Furlong/Pool/AFP

      Currently, several sub-stories are emerging, including speculations that JLR may lack insurance for this incident, that outsourced cybersecurity practices could have created vulnerabilities, and that managerial oversights may have allowed hackers to navigate the company's platforms more easily.

      However, it's important to clarify that this was not simply the work of an amateur hacker. Based on my research and a conversation with a cybersecurity expert (who requested anonymity), it appears that the attack was executed by a professional group of skilled individuals, likely targeting high-access accounts. JLR’s vulnerabilities seem to stem from the organization of its technology management. As noted in a recent Forbes article, “Tata allowed three directors to oversee both sides of related party transactions. Natarajan Chandrasekaran (Chandra) chairs Tata’s holding company boards and every subsidiary. Perhaps more concerning, two of the other five non-executive directors at Jaguar Land Rover, technology executive Al-Noor Ramji and supply chain expert Hanne Sorenson, also serve on TCS’s (Tata Consultancy Services) board.”

      So, how did such a breach occur?

      My new cybersecurity contact advised caution in