For almost three weeks, the production lines at global car giant Jaguar Land Rover have stood still. Usually busy turning out an estimated 1,000 vehicles per day, staff at multiple JLR factories across Britain have been told to stay at home as the automotive firm responds to a damaging cyberattack. But as its recovery has stretched from days to weeks, the knock-on impacts are being felt at the hundreds of companies that supply JLR with parts and materials and risk turning the attack into a full-blown crisis.
On Friday, the UK government admitted that the cyberattack against JLR was having a “significant impact” on the company and on the “wider automotive supply chain.” The concession came as unions and officials have increasingly warned that thousands of jobs in JLR’s sprawling supply chain could be lost, and some smaller companies could go bankrupt. Reports claim JLR itself may be losing up to £50 million ($67 million) per week in the shutdown. Some firms have reportedly already laid off staff, with the Unite union claiming that workers in the JLR supply chain “are being laid off with reduced or zero pay.” Some have been told to “sign up” for government benefits, the union claims.
“It seems unprecedented in the UK to have that level of disruption because of a cyberattack or ransomware attack,” says Jamie MacColl, a senior research fellow in the cyber and tech research group at the security and defence think tank RUSI. That thousands of jobs could be put at risk, either temporarily or permanently, is “a different order of magnitude” to previous incidents, MacColl says.
JLR, which is owned by India’s Tata Motors, is one of the UK’s biggest employers, with around 32,800 people directly employed in the country. Stats on the company’s website also claim it supports another 104,000 jobs through its UK supply chain and another 62,900 jobs “through wage-induced spending.” Many other suppliers are also based outside of the UK, as well as some overseas factories.
At the start of September, JLR confirmed it had been “impacted” by a cyberattack and that the company was taking “immediate action” and “proactively shutting down our systems,” effectively grinding its factories and production processes to a halt. As the company investigated the attack, it revealed that “some data” has been “affected” but did not specify what that data is.
Despite efforts to get systems back online, the company confirmed on Wednesday that its “pause” in production has been extended to Wednesday, September 24. “We have taken this decision as our forensic investigation of the cyber incident continues, and as we consider the different stages of the controlled restart of our global operations, which will take time,” JLR said in a statement on Wednesday. “We are very sorry for the continued disruption this incident is causing and we will continue to update as the investigation progresses.”
JLR did not respond to questions from WIRED about what systems were disrupted, the financial cost of the cyberattack to suppliers, nor any measures the company was looking at to support businesses.
Almost immediately after the cyberattack, a group on Telegram called Scattered Lapsus$ Hunters, claimed responsibility for the hack. The group name implies a potential collaboration between three loose hacking collectives— Scattered Spider, Lapsus$, and Shiny Hunters—that have been behind some of the most high-profile cyberattacks in recent years. They are often made up of young, English-speaking, cybercriminals who target major businesses.
Building vehicles is a hugely complex process. Hundreds of different companies provide parts, materials, electronics, and more to vehicle manufacturers, and these expansive supply chain networks often rely upon “just-in-time” manufacturing. That means they order parts and services to be delivered in the specific quantities that are needed and exactly when they need them—large stockpiles of parts are unlikely to be held by auto makers.
“The supplier networks that are supplying into these manufacturing plants, they’re all set up for efficiency—economic efficiency, and also logistic efficiency,” says Siraj Ahmed Shaikh, a professor in systems security at Swansea University. “There’s a very carefully orchestrated supply chain,” Shaikh adds, speaking about automotive manufacturing generally. “There’s a critical dependency for those suppliers supplying into this kind of an operation. As soon as there is a disruption at this kind of facility, then all the suppliers get affected.”
One company that makes glass sun roofs has started laying off workers, according to a report in the Telegraph. Meanwhile, another firm told the BBC it has laid off around 40 people so far. French automotive company OPmobility, which employs 38,000 people across 150 sites, told WIRED it is making some changes and monitoring the events. “OPmobility is reconfiguring its production at certain sites as a consequence of the shutdown of its production by one of its customers based in the United Kingdom and depending on the evolution of the situation,” a spokesperson for the firm says.
While it is unclear which specific JLR systems have been impacted by the hackers and what systems JLR took offline proactively, many were likely taken offline to stop the attack from getting worse. “It’s very challenging to ensure containment while you still have connections between various systems,” says Orla Cox, head of EMEA cybersecurity communications at FTI Consulting, which responds to cyberattacks and works on investigations. “Oftentimes as well, there will be dependencies on different systems: You take one down, then it means that it has a knock on effect on another.”
Whenever there’s a hack in any part of a supply chain—whether that is a manufacturer at the top of the pyramid or a firm further down the pipeline—digital connections between companies may be severed to stop attackers from spreading from one network to the next. Connections via VPNs or APIs may be stopped, Cox says. “Some may even take stronger measures such as blocking domains and IP addresses. Then things like email are no longer usable between the two organizations.”
The complexity of digital and physical supply chains, spanning across dozens of businesses and just-in-time production systems, means it is likely that bringing everything back online and up to full-working speed may take time. MacColl, the RUSI researcher, says cybersecurity issues often fail to be debated at the highest level of British politics—but adds this time could be different due to the scale of the disruption. “This incident has the potential to cut through because of the job losses and the fact that MPs in constituencies affected by this will be getting calls,” he says. That breakthrough has already begun.
“This cyberattack is not some mere flicker on a screen, it is fast becoming a cyber-shockwave ripping through our industrial heartlands,” Liam Byrne, a member of Parliament and chair of the House of Commons’ Business and Trade committee said on X. “If government stands back, that shockwave is going to destroy jobs, businesses, and pay packets across Britain.” Other lawmakers have also expressed concerns after speaking with impacted JLR suppliers, and the Unite union has said the British government should intervene with a “furlough” scheme to support workers.
“The recent cyber incident is having a significant impact on Jaguar Land Rover and on the wider automotive supply chain,” the UK’s Department for Business and Trade said in a statement on Friday, following a meeting with automotive industry groups. “The Government, including government cyber experts, are in contact with the company to support the task of restoring production operations, and are working closely with JLR to understand any impacts on the supply chain.”
The attack is likely another incident that demonstrates how fragile supply chains can be when they are faced with disruption. “We do need to shift to a more resilient supply chain and a resilient operation when it comes to things like manufacturing,” says Shaikh, from Swansea University.
Meanwhile, MacColl says that as global tensions are high—with multiple countries taking steps to make sure they are prepared for war—the attack indicates how production can be forced to grind to a halt. “If this is the effect just that criminals can have on our supply chains, then it’s quite worrying to think about how unprepared we are for, say, a more coordinated and sustained attack from a potential state adversary,” MacColl says.