News / JLR may be out for weeks as experts warn of possible Salesforce breach

Jaguar Land Rover (JLR) distribution and production could be disrupted for “weeks” following a cyber “incident” which forced it to shut down all its systems. 

According to specialists, the attack could be related to a Salesforce account – and they urged those using the software to beef up their security. 

The UK-based, but Tata Motors-owned company said that the incident led it to take “immediate action to mitigate its impact by proactively shutting down our systems”.  

“We are now working at pace to restart our global applications in a controlled manner.  

“At this stage there is no evidence any customer data has been stolen, but our retail and production activities have been severely disrupted.” 

However, cyber security experts say they expect the company to be, at least partially, offline for weeks – and have warned that other companies could be the victims of more attacks soon. 

“Our threat intelligence data shows a Salesforce employee account compromised via Infostealer malware, which steals log-in credentials,” said Dynarisk. 

“Tata Motors, which owns JLR, appears to use Salesforce, and there has been a wave of Salesforce-related attacks recently, added the risk management specialist.” 

Dynarisk also suggested there could be a link to hacking group Scattered Spider, which it said, had been targeting Salesforce accounts – it was behind the M&S attack, which cost the retailer £300m in operating profit over seven weeks.

But Dynarisk added: “While the data points to a potential connection, we cannot confirm their involvement yet.” 

It said there had been no official confirmation of the type of attack on JLR, and explained: “Taking systems offline is standard practice in incidents like ransomware, so this may be a containment measure.” 

Hackers claimed to have attacked JLR in March, claiming to have breached 700 internal documents, shown in a screenshot obtained by Dynarisk. 

The company issued advice to Salesforce users: “Assume you have been breached and act accordingly. Check your incident response planning process, change all passwords ASAP, assess all integrated devices and connected apps. Cut down on accounts that are not needed and regenerating or rotating accounts’ integrations. Check logs and monitor for anomaly detection.” 

Mil Rajic, head of the intelligence team, said: “Based on recent experiences, such as the Marks & Spencer cyber incident, it took approximately six weeks for the company to fully restore its online ordering services. 

“In practice, the recovery timeline depends largely on the complexity of the systems involved. Given that Jaguar Land Rover operates on a global scale, the process will require identifying, and isolating the affected systems while restoring operations according to business priorities. While the most critical functions will be addressed first, achieving full recovery may take several weeks.” 

One JLR parts specialist told The Loadstar yesterday: “It’s an absolute nightmare. We’ve used a few choice words today, I can tell you.

“The system could be out for weeks. It’s been a nightmare trying to get hold of parts. I’ve had to remember the part numbers because we can’t even look that up. And although we can get some parts from other suppliers, we can’t get anything from Jaguar Land Rover at the moment.” 

The attack has come at a difficult time for JLR. 1 September is ‘new plate day’, the busiest day for registrations of new cars, which is now, reportedly, being carried out by hand at JLR. It has also suffered from US tariffs, initially set at 27.5% on UK and EU cars, which severely dented its profits and led to a halt in exports to the US, before a new UK tariff of 10% was agreed in May.  

This latest problem has led to another halt in production at UK plants. 

Dynarisk warned: “Based on the previous few days, we expect to see a lot more companies being announced with Salesforce attacks in the future. The current list of companies targeted by the string of Salesforce attacks is: Adidas, Cartier, Google, Louis Vuitton, Dior, Chanel, Tiffany, Qantas, Air France–KLM, Allianz Life, Cisco, Pandora, Zscaler, Cloudflare, TransUnion and Palo Alto.”

JLR would not comment beyond its initial statement.