CyberHappenings logo
🏠 Home 📂 Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Jaguar Land Rover Production Disrupted by Cyberattack

First reported
Last updated
📰 2 unique sources, 4 articles

Summary

Hide ▲

Jaguar Land Rover (JLR) experienced a cyberattack that severely disrupted its production and retail operations. The attack prompted the company to shut down several systems to mitigate the impact. Customer data was compromised, and the exact nature of the attack and the timeline for recovery remain unclear. The incident affected multiple systems, including those at the Solihull production plant, where popular models like the Land Rover Discovery and Range Rover are manufactured. The attack occurred over the weekend, a common time for such incidents due to reduced response capabilities. This is the second cyberattack JLR has suffered this year, raising concerns about potential vulnerabilities from the previous attack. JLR has extended the production shutdown for another week, with operations expected to resume on September 24, 2025. The company is still investigating the incident and has not attributed the breach to a specific cybercrime group.

Timeline

  1. 10.09.2025 18:29 📰 2 articles · ⏱ 7d ago

    Scattered Lapsus$ Hunters claim responsibility for JLR cyberattack

    A group called "Scattered Lapsus$ Hunters" claimed responsibility for the breach on Telegram, sharing screenshots of an internal JLR SAP system and claiming to have deployed ransomware. This group is associated with Lapsus$, Scattered Spider, and ShinyHunters extortion groups and is also responsible for widespread Salesforce data theft attacks. JLR has not yet attributed the breach to a specific cybercrime group.

    Show sources
    Open in new tab
  2. 02.09.2025 17:23 📰 4 articles · ⏱ 15d ago

    Cyberattack disrupts Jaguar Land Rover production and retail operations

    The attack occurred during the launch of new registration plates, a busy period for JLR. The incident is the second cyberattack JLR has suffered this year, raising concerns about potential vulnerabilities from the previous attack. The attack highlights the need for robust cyber hygiene and authentication in digitalized operations. Additionally, JLR confirmed that some data was stolen during the attack, and the company has notified the relevant authorities. The investigation is ongoing with the help of the U.K. National Cyber Security Centre (NCSC). JLR has extended the production shutdown for another week, with operations expected to resume on September 24, 2025.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Lovesac Data Breach After Ransomware Attack

Lovesac, a furniture retailer, suffered a data breach between February 12, 2025, and March 3, 2025. Hackers gained unauthorized access to internal systems, stealing personal data. The breach was discovered on February 28, 2025, and remediated three days later. The RansomHub ransomware gang claimed responsibility but the company did not confirm the encryption of data. The number of affected individuals and the exact nature of the stolen data remain undisclosed. The company offers 24-month credit monitoring to impacted individuals and advises vigilance against phishing attempts. RansomHub, the group claiming the attack, has a history of targeting high-profile entities and shut down in April 2025.

Open in new tab

Supply Chain Attack on npm Packages with Billions of Weekly Downloads

A supply chain attack compromised multiple npm packages with over 2.6 billion weekly downloads. Attackers injected malicious code into these packages after hijacking a maintainer's account via phishing. The malware targets web-based cryptocurrency transactions, redirecting them to attacker-controlled wallets. The attack was detected and mitigated by the NPM team, who removed the malicious versions within two hours. The phishing campaign targeted multiple maintainers, using a fake domain to trick them into updating their 2FA credentials. The malicious code operates by hooking into JavaScript functions and wallet APIs, intercepting and altering cryptocurrency transactions. The attack impacts users who installed the compromised packages during a specific time window and have vulnerable dependencies. The attack targeted Josh Junon, also known as Qix, who received a phishing email mimicking npm. The phishing email prompted the maintainer to enter their username, password, and 2FA token, which were stolen via an adversary-in-the-middle (AitM) attack. The attack affected 20 packages, including ansi-regex, chalk, debug, and others, with over 2 billion weekly downloads. The malware intercepts cryptocurrency transaction requests by computing the Levenshtein distance to swap the destination wallet address. The payload hooks into window.fetch, XMLHttpRequest, and window.ethereum.request, along with other wallet provider APIs. The attack also compromised another maintainer, duckdb_admin, to distribute the same wallet-drainer malware. The affected packages from the second maintainer include @coveops/abi, @duckdb/duckdb-wasm, and prebid, among others. The attack impacted roughly 10% of all cloud environments. The attackers diverted five cents worth of ETH and $20 worth of a virtually unknown memecoin. The attacker’s wallet addresses holding significant amounts have been flagged, limiting their ability to convert or use the funds.

Open in new tab

Salesloft Disables Drift Following OAuth Token Theft

Salesloft has taken Drift offline due to a security incident involving the theft of OAuth tokens and unauthorized access to Salesforce data. The breach began with the compromise of Salesloft's GitHub account, affecting multiple major tech companies, including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, Zscaler, Tenable, Qualys, Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks, and BugCrowd. The incident was attributed to a threat cluster tracked as UNC6395 and GRUB1. The breach occurred on September 5, 2025, affecting the marketing software-as-a-service product Drift. The attackers exploited vulnerabilities to steal authentication tokens, leading to unauthorized access to sensitive data. Salesloft has temporarily disabled Drift to conduct a comprehensive review and enhance security measures. The ShinyHunters extortion gang and threat actors claiming to be Scattered Spider were involved in the Salesloft Drift attacks, in addition to the previous Salesforce data theft attacks. The threat actors primarily focused on stealing support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets. The threat actors' primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens. The number of impacted companies has been updated to 29. Cloudflare disclosed that some customer support cases stored in Salesforce included configuration settings and 104 Cloudflare API tokens. Salesforce restored integration with the Salesloft platform, except for the Drift app, which remains disabled until further notice. The breach also affected Qantas, where executives had their short-term compensation reduced by 15% due to a data breach that impacted approximately 5.7 million passengers.

Open in new tab

Chess.com data breach via third-party file transfer app

Chess.com disclosed a data breach after unauthorized access to a third-party file transfer application. The incident occurred between June 5 and June 18, 2025, affecting approximately 4,500 users. The breach involved names and other personally identifiable information (PII). Chess.com discovered the breach on June 19, 2025, and has since taken measures to secure its systems and notify affected users. No financial information was compromised, and there is no evidence of misuse of the stolen data. The platform is offering free identity theft and credit monitoring services to impacted users.

Open in new tab

Bridgestone manufacturing facilities impacted by cyberattack

Bridgestone Americas, the North American division of Bridgestone Corporation, is investigating a cyberattack that has disrupted operations at all manufacturing facilities in North America. The attack, detected on September 2, 2025, affected facilities in Aiken County, South Carolina, and Joliette, Quebec. Bridgestone's rapid response reportedly contained the incident early, preventing customer data theft or extensive network infiltration. The company is working to mitigate the impact on its supply chain and ensure business continuity. The exact nature and scope of the cyber incident remain unknown.

Open in new tab