Jaguar Land Rover’s devastating cyber attack could result in a £150m hit to the company if factory shut downs continue to the end of the month, experts warn.

Speaking to Car Dealer, automotive industry analysts said the longer the car manufacturer is shut out of its computer systems, and its production lines around the world remain silent, the more serious the ramifications could become.

The contagion caused by the hack is spreading through the wider West Midlands supplier network with many businesses that rely on JLR now precariously balanced. 

With their revenue streams strangled by the shut down, many are predicting a state bail out might even be required before widespread job losses are inevitable.

JLR franchisees told Car Dealer the situation in dealerships is still ‘very challenging’ as they attempt to find work arounds for the systems shut down.

‘We can sell used cars, but selling new models is haphazard at best,’ said one franchise holder.

‘We’re being told very little by head office. They are in an incredibly difficult situation and are attempting to find workarounds for us, but it’s not easy and very challenging for everyone.

‘Parts supply, for example, is starting to come out from the manufacturer as they are simply sending us what we need, but even that is not easy.

‘Aftersales is a real problem, but the teams are attempting to muddle through. Some customers understand, but many are not quite so calm when we tell them they can’t have their new car just yet.’

£5m daily hit?

Professor David Bailey, professor of business economics at the Birmingham Business School, estimated that each lost day of production is costing Jaguar Land Rover a conservative estimate of £5m in lost revenue.

So far plants have been silent for 15 days and they’ll remain the same until at least Wednesday this week. However, insiders fear production is highly unlikely to start then.

Bailey said: ‘Profits will undoubtedly take a hit, but by how much? The firm makes around 1,000 cars a day globally. In recent years it has shifted up market and the average selling price of a JLR car is now thought to be around £72,000. 

‘That equates to a daily revenue of some £72m. The firm’s last financial report forecast margins of 5-7% this year, so the hit to profit could run to £5m a day.

‘JLR says plant output will be suspended until at least Wednesday. By then, the value of lost output will be around £1bn, and the hit to profits will be around £70m.

‘But there is speculation that this could still take weeks to fix. If output is suspended for much of September then that could be a £150m profit hit for the firm.’

Locked out

The cyber attack locked JLR staff out of critical systems on September 1. Production lines were stopped dead, dealers struggled to register cars on the first day of the new 75-reg and the ability to order parts was lost.

‘The production lines in the UK, Slovakia, Brazil, India and China are all still silent as a result,’ said Bailey.

‘If the firm can get things restarted soon then it could claw back some of those lost profits by working flat out to meet a backlog of orders.

‘But the longer the shutdown goes on, the bigger the hit to profit and the more likely it is that customers simply decide to go elsewhere.’

Hackers from the groups ‘Scattered Spider, Lapsus$ and ShinyHunters’ – the same groups that targeted M&S and the Co-op – have claimed responsibility for the attack.

It’s not known whether they are demanding a ransom to restore access to the systems, but experts predict that is highly likely. 

‘In the same way that major IT implementations always seem to run late and cost more than initially planned, recovery from cyber attacks also seems to take longer as more data corruption is identified and fixes take longer to develop and implement,’ said Steve Young, from the automotive research firm ICDP.

‘I am not surprised that we are going into another week with a low degree of confidence in when things will go back to normal.’

State bailout

Bailey thinks the government needs to be thinking now about emergency aid for the smaller companies impacted by the hack.

‘The longer the shutdown goes on the bigger the impact on the supply chain,’ said the professor.

‘That supply chain – centred very much here in the West Midlands – sees JLR as the anchor firm. Smaller suppliers have sent workers home, laid off staff, applied for bank loans, and are running out of cash. 

‘The government needs to start thinking about a financial lifeline to keep that supply chain going.’

State aid at times like these are not unusual. Bailey said bailouts had previously been handed out when MG Rover closed in 2005, the Japanese earthquakes and tsunami struck in 2011 and, more recently, during Covid.

He added: ‘The Department for Business and Trade has a new Secretary of State in the form of Peter Kyle. It needs to be doing more than just monitoring the situation.

‘Rather it needs to start thinking fast about whether and how emergency support could be provided to the supply chain.’

Young agreed the cyber attack’s impact on the supplier network was far more critical than that on JLR.

He said: ‘The hack does not represent an existential threat to JLR who will be able to draw on the broader resources of the Tata Group if needed, but the biggest risk is with the smaller suppliers.’

He doesn’t think a state bailout will be necessary, though. Instead, he hopes the government and JLR will ‘lean on banks’ to ensure they extend funding lines to the small businesses under threat. 

Job losses

Former Nissan and Aston Martin executive Andy Palmer told the BBC he expected to see job losses in the supplier network soon.

He said: ‘Some of them will go bust. I would not be at all surprised to see bankruptcies. Layoffs are either already happening, or are being planned.’

JLR has reported the hack to the ICO and admitted the hackers may have accessed some data. The extent of that has not been disclosed.

The car manufacturer has remained tightlipped as its teams focus on getting systems back up and running.

No new comment has been released by the car maker since last Wednesday, when it said: ‘Since we became aware of the cyber incident, we have been working around the clock, alongside third-party cybersecurity specialists, to restart our global applications in a controlled and safe manner.

‘As a result of our ongoing investigation, we now believe that some data has been affected and we are informing the relevant regulators. Our forensic investigation continues at pace and we will contact anyone as appropriate if we find that their data has been impacted.

‘We are very sorry for the continued disruption this incident is causing and we will continue to update as the investigation progresses.’

Bailey believes the longer this goes on, the more danger there is of JLR’s brand being ‘battered’.

‘There is still no indication of how long JLR will need to get up and running again,’ he said. 

‘The bottom line, though, is that JLR needs to sort this out, and quickly.’

No quick fix

A fast result, though, might not be something JLR can manage, according to cyber security experts monitoring the hack. 

Marijus Briedis, chief technology officer at NordVPN, told Car Dealer: ‘Recovery from a cyberattack of this magnitude is rarely quick. Even when production lines begin to restart, it could take weeks before every system is fully restored.’

World-leading cybersecurity expert Eric O-Neill, author of the upcoming book Spies, Lies, and Cybercrime: Cybersecurity Tactics to Outsmart Hackers and Disarm Scammers, told Car Dealer that the fact this attack had ‘lingered’ means it’s likely to have been very damaging.

‘It signals either a lack of preparation or that the attackers had deeper access than expected – neither is reassuring,’ he said.

‘When restoration stalls, it often means backups were compromised or the attackers embedded themselves in critical systems. Criminals and spies will often seek to destroy or alter backup systems when launching attacks.’

While JLR hasn’t admitted it is being held to ransom, both experts we spoke to believe this is highly likely.

O-Neill added: ‘Importantly, paying a ransom doesn’t end the problem. Even if they pay, JLR still needs to investigate, conduct forensic analysis, remove the attackers, and harden their defences. Otherwise, they risk being targeted again.’

Briedis added that the police advise against paying ransoms especially as there is no guarantee of access being recovery even if it is paid.

He said: ‘This incident underlines why large manufacturers must view cyberattacks not as a possibility but as an inevitability.’

Back in dealerships, far away from the headaches facing JLR executives, dealer bosses told us they’re just trying to ‘muddle through’.

‘Our stresses are nothing near what those at JLR head office are facing,’ said another JLR dealer group boss.

‘We might have a few angry customers waiting for cars or parts – they’re staring into the abyss.’

• Book tickets to Car Dealer Podcast Live – September 24, 2025
• Join our breaking news WhatsApp group
• Sign up for daily email Car Dealer news bulletins
• Listen to the latest Car Dealer Podcast
• Read the latest digital issue of Car Dealer Magazine