Our risk quantification model assesses a case of supply-chain risk at its worst

Auto Assembly Cyber Risk

By Erica Eager and Anushka Jain

Key Facts

  • Hackers (widely believed to be Scattered Lapsus$ Hunters) hit UK luxury carmaker Jaguar Land Rover (JLR) with a cyber attack forcing an immediate global production shutdown at the luxury carmaker on September 1, 2025
  • The latest projections call for a gradual resumption of production, beginning on October 6. 
  • The shutdown immediately reverberated through JLR’s sprawling supply chain of 104,000 workers in the UK alone.
  • 4 weeks into the attack, the UK government’s export credit agency responded by backing a private, five-year $1.6 billion (£1.2 billion) loan to JLR to help pay suppliers. 
  • Our preliminary FAIR-MAM assessment estimates the loss for Jaguar Land Rover to be between $1.2b (£911m) and $1.9b (£1.4b)
  • The loss is material, more than 50% of last year’s net profit of $2.4b (£1.8b).
  • The incident will go down as one of the worst cyber-induced supply chain disasters – in a league with the UnitedHealth Group data breach of 2024 that left its supply chain unable to process medical claims for a month or more.

Estimating Loss for Jaguar Land Rover with the FAIR-MAM Model

SAFE and the FAIR Institute developed FAIR-MAM, an open, financial-loss model based on Factor Analysis of Information Risk (FAIR), as a tool for businesses to quickly and reliably quantify the impact of cyber incidents. We use the model on our SAFE One cyber risk management platform — along with the most comprehensive set of industry standard loss data — to run proactive loss magnitude assessments for our clients. We also use FAIR-MAM post-incident analysis to quantify major cyber events in the news, such as JLR.  

How Material Is The Jaguar Land Rover Hack?

Most of the loss from this hack is due to revenue interruption from the extended production downtime. Based on financial results from JLR’s last fiscal year, which ended on March 31, 2025, one can infer the following daily variables: 

  • Revenue = $106.2m (£79m) 
  • Raw materials = $61.8 (£46m) 
  • Other variable expenses dependent on production = $17.4 (£13m) 
  • Net profit = $6.7m (£5m)  

The daily profit loss of £5m has been widely reported. When estimating materiality after a hack, however, Safe’s FAIR-MAM loss model calculates net revenue loss, or revenue minus avoidable costs.

Based on last year’s income statement, 

  • Daily net revenue loss to JLR is approximately $26m (£20m), totaling $985m (£730m) for the month of September and the first 6 days of October when global production was halted.

Production will take time to ramp back up, however. Therefore, we have estimated an additional

  • $230m (£170m) to $645m (£478m) of potential net revenue loss as production resumes.

JLR has said that they have notified the proper authorities that customer data was stolen but have provided no further details. Until more information is forthcoming, we have included 

  • Potential loss from data exfiltration of $350,000 (£260k) to $12m (£9m).

Preliminary Estimate of Total Loss 

Between $1.2b (£911,000) and $1.9b (£1.4b), more than 50% of last year’s net profit of $2.4b (£1.8b).

Materiality Estimates - SAFE One Platform

Example of assessing material risk with the SAFE One platform, showing cyber loss categories

JLR Cyber Attack: The Background

Overnight…

On a quiet Sunday, the last day of August, the first external signs that Jaguar Land Rover (JLR) may have been hacked began trickling out of the company. By the next morning, the company was shuttered. 

  • Global production of more than 1,000 cars per day was halted at all manufacturing and assembly plants in the UK, Brazil, Slovakia and India. 
  • Newly assembled cars sat frozen in place, creating significant delivery backlogs to dealers and export shipping carriers. 
  • Dealers couldn’t register new cars and service centers couldn’t perform diagnostic tests or access replacement parts. 

In an instant JLR lost the ability to track parts, vehicles and tooling in its factories and access to the software used to sell and service its cars globally.

Collateral Damage in the Supply Chain

A single luxury car like a Range Rover can be made up of 30,000 discrete components furnished by a supply network of hundreds of companies representing 104,000 jobs in the UK alone. A lot of these suppliers are small or medium sized enterprises, many of which are highly dependent on Jaguar Land Rover and facing severe financial hardship after nearly a month with no payments from JLR. 

It has been reported that as many as 25% of them had already begun to lay off people and perhaps a further 20% to 25% would soon begin layoffs.

Which raises an interesting question in the world of digital interconnectedness and increasingly virulent supply chain cyber attacks: 

Should large enterprises consider helping to ensure the financial survival of critically dependent supply chains during a business interruption resulting from a cyber attack as part of the cost of doing business? 

JLR’s raw materials cost of sales on its income statement represents a significant amount of the revenue of this supply chain, more than £16 billion for its 2025 fiscal year.

The automotive industry uses “just-in-time” manufacturing to build vehicles so an automaker depends on hundreds of different companies to deliver the specific quantities of the parts, materials, electronics and other components exactly when they are needed, thereby eliminating its need to maintain large, expensive inventories of component parts. 

The supplier network is likewise designed for economic and logistic efficiency, resulting in a carefully balanced supply chain. Smaller suppliers primarily or wholly dependent on one automaker are unlikely to have the financial wherewithal to survive a sudden and prolonged cessation of orders without laying off employees or potentially reaching a state of insolvency. 

In this symbiotic relationship the automaker is equally dependent on suppliers to provide the component parts so it is incumbent on that automaker to ensure its entire supply chain is ready to receive the “just-in-time” flow as soon as production resumes and during the time it ramps back up.

Related: Vendor Risk Management Best Practices for Success in 2025

The Unite labor union, more than 30 MPs including the chair of the Commons Business and Trade Committee, the Business and Trade Minister, the Department of Business and Trade, Business Secretary Peter Kyle, and the Society of Motor Manufacturers & Traders among others, have all been discussing ways to help the more at-risk suppliers. 

Notwithstanding the continual assistance provided by the UK National Cyber Security Centre and the UK National Crime Agency to JLR since the hack was discovered, the UK government has never before offered financial support to corporate victims of cyber crime and they have been reluctant to do so in this case, depending on JLR to help its suppliers.

Recognizing how fragile portions of Jaguar Land Rover’s supply chain had become during the past four weeks with no revenues coming in from JLR, the UK government’s export credit agency agreed to back a 5-year,  £1.2b loan to JLR from a commercial bank to help Jaguar Land Rover support its supply chain, which is considered vital to the British car industry. To put the amount of that loan into perspective, the average monthly cost of raw materials (including component parts) on JLR’s income statement was £1.4b last year.

Recovery at Jaguar Land Rover

JLR is focusing on getting money flowing into its supply chain as quickly as it can. In a statement made on September 25, the company said that it had “significantly increased IT processing capacity for invoicing” and was “working to clear the backlog of payments to our suppliers as quickly as we can.” Its Global Parts Logistics Centre that supplies parts is now returning to full operations so its clients’ cars can be serviced. 

Finally, JLR also said the processing of wholesales of vehicles was brought back online so it is now able to sell and register vehicles faster. Apparently, tens of thousands of completed vehicles were delivered to retailers and a workaround was created to license those cars for delivery to buyers.

Bringing production back online will not be easy, for the same reason that it was completely shut down in the first place. Two years ago, Jaguar Land Rover signed a five-year, £800m contract with Tata Consultancy Services (TCS), another subsidiary of JLR’s parent company, Tata Group. Under the contract, TCS would manage networks, data connections and provide cybersecurity for JLR as well as transform its digital infrastructure. 

TCS’ president of manufacturing published a video with JLR that highlights “smart factories where everything is connected” to try to “remove waste” and use artificial intelligence to “avoid plant downtime”. 

Apparently, this interconnectedness became a vulnerability because the company was unable to isolate factories or functions when it discovered the attack and was forced to shut down most of its systems.

Further complicating a manufacturing restart are the more than 1,000 cars on production or assembly lines in various stages of build. Each car will require its own custom completion plan. 

Two weeks after the attack began, the company projected that the production pause would end on September 24. That projection was then extended to October 1. On September 29, JLR announced that, “…some sections of our manufacturing operations will resume in the coming days.”  The latest update is that the Wolverhampton engine manufacturing plant in the UK will reopen on October 6, with a careful global resumption of car manufacturing to follow after ensuring no remnants of the malware remain.


Explore Supply Chain Risk Management with SAFE

  • 100% autonomous third-party risk management
  • Zero effort vendor interaction 
  • Scaled up third-party coverage

Learn more about SAFE TPRM

Take a SAFE TPRM test drive