The cyber attack that shut down production at Jaguar Land Rover (JLR) will apparently keep the automaker's lines on "pause" until at least next week.
The largest car maker in the U.K. announced Tuesday that it has notified workers, suppliers and partners that its production shutdown will extend until Oct. 1.
JLR said it is building a timeline for a phased operational restart while investigations into the attack continue. The company is working with cybersecurity specialists, the U.K.'s National Cyber Security Center and law enforcement to ensure a safe and secure restart, officials added.
Still, the economic impact remains far-reaching. According to a report in Wired, thousands of jobs throughout the automotive supply chain remain at risk, and some smaller businesses might not be able to survive the shutdown. The BBC reports that JLR could be losing up to $67.6 million per week. The outlet also noted that the JLR supply chain supports 104,000 U.K. jobs.
"Jaguar Land Rover's statement today confirms what many of us suspected: this isn't a minor disruption — it looks like a large-scale ransomware attack," said former FBI agent and current cybersecurity expert Eric O'Neill, author of the upcoming book Spies, Lies, and Cybercrime: Cybersecurity Tactics to Outsmart Hackers and Disarm Scammers. O'Neill told Industrial Equipment News (IEN), "The fact that production remains paused — and is now extended — signals a level of complexity that makes 'just turning systems back on' impossible."
When companies face this kind of incident, recovery often occurs in phases because the attacker may still be lurking within the network, O'Neill said. As a result, any premature reboot risks handing them the keys again.
"Unless JLR has intrinsic security and continuous endpoint monitoring in place, remediation becomes a grind, cleaning every endpoint — every device, server or machine connected to the network — one by one," he added.
Because networks can't safely come back online until the attacker is evicted, systems must be restored to a point in time before the intrusion. Unfortunately, operators often don't know precisely when the attacker infiltrated the system. If the backups are compromised or the intruder is still active, the investigation becomes even more challenging.
"This is why the phased restart language in JLR's announcement is telling. They're trying to ensure a clean, safe environment before operations resume, which is the right move — but it also hints at how long and difficult the road ahead may be," O'Neill said.
Dr. Darren Williams, founder and CEO of cybersecurity firm BlackFog, has stated that it could take nine to 12 months before JLR is fully operational.
"For JLR and its suppliers, the collateral damage has been extensive; tightly integrated supply chains mean disruption quickly turns into major financial losses," Williams said.
Stellantis Faces Salesforce Breach
The news of JLR's ongoing woes comes the same week that Stellantis, which makes 14 major automotive brands including Chrysler, Jeep and Fiat, announced that it had caught "unauthorized access to a third-party service provider's platform."
According to information security and technology news publication BleepingComputer, criminal hacker group ShinyHunters claimed responsibility for the Stellantis breach and said it stole more than 18 million records from Stellantis' Salesforce instance.
Stellantis said it immediately initiated incident response protocols and took prompt action to contain and mitigate the situation. The company admitted that contact information was taken, but noted that the affected platform doesn't store financial or sensitive personal information.
Still, Stellantis told customers to remain vigilant against potential phishing attempts and avoid clicking on suspicious links or sharing personal information in response to unexpected emails, texts or calls. The company has notified law enforcement and contacted affected customers directly.
"The company is right to urge customers to be vigilant, as attackers may exploit this information in phishing attempts," Williams said. "The sector will no doubt be looking at how to double down on its cyber resilience. In today's attacks, data is the real prize, fueling extortion and driving the black market. Security strategies must shift from just detecting and recovering to preventing data exfiltration in real-time, ensuring that attackers lose their leverage."
Building a Proactive Cyber Defense
Eric O'Neill started his career as an FBI "ghost," an undercover field operative. In 2001, he helped bring down Robert Hanssen, a 25-year veteran of the FBI and a notorious Russian mole.
In O'Neill's new book, he outlines a proactive cyber defense he calls the "P.A.I.D." methodology: "Prepare, Assess, Investigate and Decide."
- Prepare ahead of the event with resilient architecture, tested incident response plans and cybersecurity technology.
- Continuously assess security by monitoring endpoints and networks for abnormal activity, and train staff on best practices for cybersecurity.
- Investigate every alert, no matter how small, before it becomes the attacker's foothold; leverage technology to rapidly determine the where, when and what of the attack.
- Decide to act before it's too late — contain threats quickly and decisively.
Using this method, companies can survive cyberattacks, shorten downtime and preserve trust, O'Neill says.
