What Manufacturers Can Learn From the Jaguar Land Rover Cyberattack

In early September, luxury automobile manufacturer Jaguar Land Rover (JLR) was hit with a ransomware attack that caused severe repercussions, costing billions of dollars in losses, fracturing its supply chain, and eroding stakeholder trust. The incident should serve as a warning sign to manufacturers everywhere.

Many organizations still put most of their focus on prevention and detection, while the industrial sector has become a prime target for cyber-attacks. That means any manufacturing organization could easily be next. Recent data shows:

• Manufacturing now accounts for more than 70% of all industrial cyber victims;
• 65% of manufacturing organizations were hit by ransomware attacks in 2024;
• Q1 2025 alone saw 450+ ransomware incidents, nearly four times the pace of the previous year.

Most of these attacks directly affected OT systems, not just IT. Clearly, adversaries are no longer satisfied with stealing or encrypting data. They are increasingly targeting industrial environments where downtime gives them enormous leverage. For JLR, the result was immediate: multiple plants shut down, thousands of vehicles were delayed, and suppliers across Europe were disrupted.

In today’s threat landscape, the JLR cyber incident is a stark reminder that resilience isn’t optional. To stay protected, security teams must start asking the right questions. Instead of focusing only on detecting and blocking threats, they need to prioritize being able to recover quickly once attackers break through. Assessing the JRL incident and understanding why its impact was so severe is a good starting point to make this strategic shift.

What happened? A brief recap

On September 2, JLR announced on its website that it had suffered a cyber incident, and that retail and production activities were significantly disrupted. There was no indication that customer data had been stolen, but the company proactively shut down its systems to minimize the damage. It then began working around the clock with cybersecurity specialists and law enforcement to securely bring global operations back online.

The forensic investigation extended operational downtime for over a month. During this period, JLR was estimated to be losing at least $67 million per week. Suppliers and customers began coming forward, revealing that they could face bankruptcy, delayed operations, and layoffs as a result of the shutdown. Due to these ripple effects, the U.K. Government stepped in with a £1.5 billion loan guarantee to support JLR’s supply chain amid the shutdown.

JLR started restoring manufacturing operations on October 8. As part of the announcement, the company confirmed that production volumes had been impacted and that its wholesale and retail sales for Q2 FY26 were both down 24.2% and 17.1% respectively, compared to Q2 FY25.

What now?

In the short term, JLR’s recovery is still ongoing as it supports suppliers financially and works to make up for lost sales and inventory. In the long term, the auto manufacturer’s recovery will be more complex. To return to normal operations, JLR must rebuild trust with customers, suppliers, employees, and shareholders. A crucial part of that effort will be strengthening its cybersecurity posture to prevent the devastating impact of another breach. 

What could JLR have done differently? 

The JLR case mirrors what we’re seeing across the manufacturing sector. All organizations must recognize that in today’s threat landscape, with attackers’ major focus on manufacturing and industrial organizations and their increasingly sophisticated attack techniques, a breach is inevitable. It’s just a matter of when. Prevention and detection tools can help reduce risk and potentially postpone the breach, but on their own, there will always be a door open for attackers to slip through first lines of defense and significantly cripple operations.

In the industrial sector, every minute of operational downtime translates into frozen production lines, disrupted supply chains, and immense financial costs of upwards of $1.9M per day.

The harsh reality is that too many organizations treat recovery as an afterthought. In truth, being able to quickly and safely restart operations through a tested, automated, and integrated resilience plan means the difference between a cyber incident resulting in minimal impact or catastrophic damage. For manufacturing leaders, waiting to make recovery a core part of your resilience strategy simply isn’t an option. Had JLR done so, this past quarter could have looked very different. 

Unlocking true cyber resilience in manufacturing 

Looking at the sequence of events, there are five specific areas where a stronger focus on cyber-physical resilience could have changed the trajectory of JLR’s crisis:

1. A resilience-first approach — The delays to production and key launches underscore how cyber incidents now directly translate into strategic and commercial risk, especially in an increasingly competitive market such as EV. Cyber resilience in OT isn’t just a security concern; it is a foundational element of business continuity, operational assurance, and long-term product strategy.
   
   
2. Faster, engineered recovery — Modern manufacturing relies on tightly synchronized OT systems. JLR’s extended downtime suggests there were limited mechanisms for restoring compromised operational assets to a verified, trusted state. A mature recovery program, built on continuously validated, integrity-checked backups, could have enabled rapid restoration of critical systems and significantly reduced disruption regardless of the attack’s scale.
   
   
3. Effective isolation and containment —Once adversaries gain a foothold in OT networks, they can move laterally very quickly. Stronger segmentation combined with asset-level rollback capabilities would have allowed JLR to isolate affected zones, maintain partial operations, and prevent plant-wide shutdowns. Targeted containment also accelerates forensic investigation and root-cause analysis.
   
   
4. Comprehensive visibility into resilience readiness — One of the least discussed contributors to prolonged industrial downtime is the lack of real-time visibility into the health, preparedness, and recoverability of OT assets. Manufacturers need resilience dashboards and reports that show which systems are recoverable, which backups are validated, where dependencies exist, and how quickly both specific assets and complete production lines can return to operation. This level of operational transparency enables faster decision-making during an incident and helps avoid unnecessary shutdowns that magnify impact.
   
   
5. Continuous backup integrity validation — Backups are only useful if they are intact and immediately deployable. Many industrial organizations discover issues with their backups during an incident, when it’s already too late. A discipline of continuous, automated verification and system-state consistency would have ensured that JLR had clean, trusted recovery points ready to use. This step alone can mean the difference between hours of disruption and weeks of operational paralysis. 

The broader lesson

The JLR incident highlights the gap between traditional IT-focused security approaches, which prioritize keeping data safe, and the operational realities of industrial environments, where downtime has immediate physical, financial, and strategic consequences.

The path forward for manufacturers is clear: treat OT resilience as a core pillar of operational strategy, where recovery takes seconds rather than hours, and certainly not days.

These aren’t hypothetical nice-to-have benefits. They reflect where manufacturers are already headed, recognizing that in modern manufacturing, the ability to restore operations quickly is just as important as the ability to defend against attacks.