Jaguar Land Rover says cyberattack shutdown to last 'at least' another week

Jaguar Land Rover (JLR) announced on Tuesday that its global operations would remain shuttered until at least September 24 as the company continues to grapple with the impact of a cyberattack discovered earlier this month.

The automotive manufacturer said it had taken the decision to pause attempts to restart production as a forensic investigation of the incident remains ongoing. In a statement the company explained it is considering “the different stages of the controlled restart of our global operations, which will take time.”

Thousands of JLR employees have been told not to report for work due to the standstill. Reports suggest that thousands more workers at supply-chain businesses are also being temporarily laid off due to the shutdown. The Unite union has called on the government to provide a furlough scheme to support impacted workers.

The extended disruption is increasing the costs of the incident for JLR, which is one of Britain’s most significant industrial producers — accounting for roughly 4% of goods exports last year — and risks damaging the British economy as a whole.

Lucas Kello, the director of the University of Oxford's Academic Centre of Excellence in Cyber Security Research, told Recorded Future News last week: “This is more than a company outage — it’s an economic security incident.”

Reports suggest that every day of disruption is losing the company £72 million ($98 million) in sales. The company has also confirmed that the perpetrators managed to compromise internal data, and under British privacy laws JLR could face a fine if personal data was not properly protected.

Ciaran Martin, the founding chief executive of the National Cyber Security Centre and now a professor at the University of Oxford, told Recorded Future News that the attack highlighted a discrepancy between the legal focus on protecting personal data versus business continuity.

“I am beginning to think that at some point we’re going to have to break a taboo and say out loud that the protection of a lot of relatively trivial personal data is over-regulated, and that service continuity is deprioritised as a result,” said Martin.

“That might not be a matter of legislation: maybe corporate governance rules or shareholder action or the market can fix it. But right now our economic security looks more threatened by disruptive attacks than by data breaches but our policy framework hasn’t caught up with that yet.”

It comes as the introduction of the British government’s much-delayed Cyber Security and Resilience Bill (CSRB) to Parliament was delayed again last week, as revealed by Recorded Future News.

The proposed law, which will require companies working in critical sectors to abide by higher cybersecurity standards, would not have directly impacted JLR. However it would have directly impacted Tata Consultancy Services (TCS) — a managed service provider used by JLR, as well as two other well-known British brands hit by ransomware attacks earlier this year.

Clients of TCS include Marks & Spencer and the Co-op, attacks against which led to empty grocery shelves at stores across the country. Four individuals living in the United Kingdom were arrested in connection with those incidents earlier this year, and later released on bail.

TCS previously said it was looking into reports its support staff had been socially engineered to provide cybercriminals with initial access to M&S systems. The company subsequently denied its systems or users were “compromised,” although it has not responded to repeated requests for clarification about whether that statement precluded social engineering.

“It’s unknowable whether or not quicker regulation of managed service providers would have prevented these breaches. What is clear is that there is a mismatch in our regulatory posture,” said Martin.