Jaguar Land Rover (JLR) today issued an update on a cyberattack that has shut down production for nearly a month. The company said it is informing employees, retailers and suppliers that some manufacturing operations "will resume in the coming days."
According to the company, this is the next step in its plan for a controlled, phased restart.
"We know there is much more to do, but the foundational work of our recovery is firmly underway, and we will continue to provide updates as we progress," JLR said in a statement.
Cybersecurity experts have said that just turning systems back on is "impossible," and it could take up to a year for the company to be fully operational.
"While details remain murky, the attack bears the hallmarks of a ransomware or destructive intrusion—not just data theft," said former FBI agent and current cybersecurity expert Eric O'Neill, author of the upcoming book Spies, Lies, and Cybercrime: Cybersecurity Tactics to Outsmart Hackers and Disarm Scammers. "These attacks share a dangerous pattern: the breach came despite heavy investment in cybersecurity. Resilience is what matters—before the attack. Redundancy, segmentation, zero-trust networks, and disaster recovery plans that actually work. And even those aren't enough without people willing to hunt threats, not just react to them."
Last Thursday, the company was able to bring some digital assets back online, including increased IT processing capacity for invoicing, which allowed the company to start clearing a backlog of supplier payments "as quickly as possible."
JLR's Global Parts Logistics Center is also returning to full operations. The facility supplies parts to global distribution centers for retail partners. The move will help retailers service vehicles.
The financial system JLR uses to process vehicle wholesales has also been brought back online, delivering much-needed cash flow.
O'Neill said JLR is "almost certainly following the standard high-stakes incident response playbook that critical manufacturers use when ransomware or destructive attacks hit."
He said the company will need to do more than just kick out the cyberattackers; it must also prove that the attackers are gone, restore from clean systems, and build resilience so that it can't happen again.
O'Neill boils down the lengthy process JLR faces into three steps:
- Containment & Eradication: Isolate systems, remove attacker footholds, and block any chance of reentry.
- Forensics & Restoration: Investigate how and when the breach occurred, then rebuild and restore from clean backups before that point.
- Resilience & Recovery: Patch vulnerabilities, strengthen defenses, and enhance monitoring to prevent future disruption.
JLR said it is working around the clock to restart operations.
