{"id":30128,"date":"2025-03-18T15:16:08","date_gmt":"2025-03-18T15:16:08","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=30128"},"modified":"2025-03-19T00:00:06","modified_gmt":"2025-03-19T00:00:06","slug":"jaguar-land-rover-data-breach","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/jaguar-land-rover-data-breach\/","title":{"rendered":"Jaguar Land Rover Data Breach Involved Two Attacks"},"content":{"rendered":"

Jaguar Land Rover suffered a significant data breach<\/strong>. Two hackers are said to have exploited stolen Jira credentials, leaking sensitive information. The leaked data, including source code, employee details, and proprietary documents.<\/p>\n

Jaguar Land Rover Breached<\/h2>\n

In early March 2025, Jaguar Land Rover (JLR), a UK-based luxury car manufacturer, reportedly suffered a significant data breach<\/a>. This breach involved two distinct threat actors: the HELLCAT ransomware group, also referred to as “Rey,” and a second hacker identified as “APTS.”<\/p>\n

\"Rey\u2019s
Rey\u2019s thread on a cybercrime forum in which they leaked data from Jaguar Land Rover<\/figcaption><\/figure>\n

While the exact date of the breach is not explicitly stated, it is clear that the incident was recent. On the other hand, the credentials exploited by APTS dated back to 2021<\/strong>, suggesting a long-term vulnerability. For instance, a report corroborates the exposure of source code and employee details, while another website mentions the leak of 700 internal documents by Rey.<\/p>\n

Threat Actors and Their Methods<\/h2>\n

As I said above, the breach involved two primary actors: HELLCAT (Rey) and APTS<\/strong>. HELLCAT employs its “infostealer-playbook” strategy, using infostealer malware<\/a> to collect credentials. It focuses on Jira systems, which are integral to enterprise operations, making the stolen data highly valuable for further attacks.<\/p>\n

Infostealer malware, such as Lumma<\/a>, infects devices through phishing, malicious downloads, or compromised websites, exfiltrating login credentials that are often sold or hoarded on the Darknet. APTS followed a similar approach, exploiting the same type of credentials to access JLR\u2019s systems.<\/p>\n

\"The
The login credentials that were used to perform the breach, detected years ago by Hudson Rock\u2019s Cavalier (source: infostealers.com)<\/figcaption><\/figure>\n

The article also specifies that the credentials used were from a compromised LG Electronics employee (his email ending with \u00abon@lge.com\u00bb) with third-party access to JLR\u2019s Jira server. These credentials, detected in Hudson Rock\u2019s database since at least 2018, were viable as of 2021<\/strong>. Hudson Rock, a cybercrime intelligence provider, reported over 30,000,000 computers infected with infostealers<\/strong>, with thousands of companies, including JLR, having compromised Jira credentials from these infections.<\/p>\n

Data Leaked and Scale<\/h2>\n

How about scale, the scale of the data breach is significant, with Rey leaking hundreds of internal files and gigabytes of Jira issues, though the exact size is not specified. APTS, on the other hand, leaked an additional 350 gigabytes of data<\/strong>, including proprietary documents, source codes, employee data, and partner information.<\/p>\n

\"APTS
APTS leaking additional data from Jaguar Land Rover<\/figcaption><\/figure>\n

This additional leak was confirmed through a screenshot of a Jira dashboard shared by APTS. Some reports mention approximately 700 internal documents<\/strong> leaked by Rey, including development logs and tracking data.<\/p>\n

Implications and Broader Context<\/h2>\n

The breach has significant implications for JLR and the broader cybersecurity landscape, which is obvious. The leaked data, particularly source codes and employee details, poses risks for further attacks, such as phishing campaigns<\/a> or intellectual property theft.<\/p>\n

AI could amplify the impact of such large breaches, making stolen data more valuable for cybercriminals. And it’s all given JLR\u2019s size, with nearly 39,000 employees and over $37 billion<\/strong> in revenue in the previous year. The incident also shows the vulnerability of Jira systems for enterprise operations. And it is worth holding in mind, considering how widespread it is in modern day software engineering.<\/p>\n

Among JLR, there are previous victims of infostealer campaigns, including Telef\u00f3nica, Schneider Electric, and Orange<\/strong>. For example, the Telef\u00f3nica breach discusses similar tactics. One detail is the longevity of the exploited credentials, dating back to 2018 and remaining viable until at least 2021.<\/p>\n

This long-term vulnerability, detected by Hudson Rock\u2019s database, illustrates how stolen credentials can persist for years if not monitored, posing a continuous risk to organizations. This is particularly relevant for companies relying on third-party access, as seen with the LG Electronics employee\u2019s credentials.<\/p>\n","protected":false},"excerpt":{"rendered":"

Jaguar Land Rover suffered a significant data breach. Two hackers are said to have exploited stolen Jira credentials, leaking sensitive information. The leaked data, including source code, employee details, and proprietary documents. Jaguar Land Rover Breached In early March 2025, Jaguar Land Rover (JLR), a UK-based luxury car manufacturer, reportedly suffered a significant data breach. […]<\/p>\n","protected":false},"author":7,"featured_media":30140,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[619,697],"class_list":{"0":"post-30128","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-cybersecurity","9":"tag-data-breach"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/03\/GS_Blog_Behind-the-Breach_-How-Jaguar-Land-Rover-Fell-Victim-to-a-Dual-Cyber-Attack_1280x674.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/30128","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=30128"}],"version-history":[{"count":12,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/30128\/revisions"}],"predecessor-version":[{"id":30158,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/30128\/revisions\/30158"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/30140"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=30128"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=30128"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=30128"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}