In September 2025, Jaguar Land Rover (JLR) was forced to halt production across its three major UK plants following a significant cyber-attack. The disruption impactedover 30,000 employees and suppliers, with ripple effects throughout the automotive supply chain. While operational continuity and economic recovery dominated headlines, the incident also carried significant data protection and governance implications.This blog explores the intersection of cybersecurity and data protection, and outlines what privacy and compliance teams should prioritise to enhance resilience, governance and accountability. 

Overview of the incident  

The cyber-attack, reportedly linked to the Shiny Hunters Collective, disrupted operations at JLR’s Solihull, Wolverhampton and Halewood plants. Early assessments suggested the attackers accessed and leaked internal debug logs, backend code and connected service modules,raising concerns about potential exposure of proprietary data and authentication processes. Although no confirmed breach of customer data had been reported, the leaked internal information and potential intellectual property exposure highlighted vulnerabilities within both Information Technology (IT) and Operational Technology (OT) systems. This incident reinforces that cyber-attacksare not just operational or reputational crises, but also data protection events under global regulatory frameworks. 

Data protection implications  

Under both the UK and EU GDPR, as well as frameworks such as the California Consumer Privacy Act (CCPA) and Brazil’s General Data Protection Law (LGPD), personal data is broadly defined as any information that can directly or indirectly identify individuals, including employees and contractors. Cyber incidents that expose internal system logs, access tokens or credentials may contain such identifiers, triggering data breach notification requirements.  

Key considerations include: 

  • Assessment of personal data exposure: even if customer data was not directly compromised, logs and access tokens may include identifiers linked to employees, suppliers or service users 

  • Timely notification obligations: depending on the jurisdictions involved, supervisory authorities and affected individuals must be notified within statutory timeframes (e.g., 72 hours under GDPR) if risk to rights and freedoms is likely   

  • Supply chain dependencies:data controllers and processors must ensure that contractual clauses, audits and incident response plans extend to all tiers of their supply chain 

  • Cross-border processing:the global nature of JLR’s operations underscores the importance of understanding where data is stored and processed,especially if compromised systems are hosted across multiple jurisdictions 

What should privacy and compliance teams do? 

Privacy teams should view this incident as a catalyst to reinforce organisational resilience. Key actions include:  

  • Integrating cybersecurity and data protection governance: ensuring data protection impact assessments (DPIAs) explicitly address cybersecurity dependencies within OT and IT environments 

  • Updating incident response frameworks: aligning cybersecurity playbooks with breach notification procedures and escalation protocols, and ensuring Data Protection Officer (DPOs) are involved from the outset of any incident 

  • Testing supply chain preparedness: conducting audits and tabletop exercises with third-party processors and suppliers to confirm incident reporting mechanisms and contractual safeguards 

  • Enhancing employee awareness: training staff on data handling, phishing response, and incident escalation procedures, recognising that human factors remain a leading cause of breaches 

  • Documenting accountability: maintaining detailed records of decision-making during incidents to demonstrate compliance with GDPR Article 5(2) and equivalent accountability principles worldwide 

Why it matters beyond compliance 

Incidents like the JLR cyber-attack highlight the importance of digital trust. Beyond regulatory duties, organisations that respond transparently and proactively not only mitigate regulatory risk but also reinforce public ands takeholder confidence. For automotive manufacturers, where connected vehicle systems, telematics, and AI-driven platforms are integral, data integrity is essential to safety, continuity, and innovation. Breaches affecting code repositories or vehicle logic can compromise not just privacy, but product reliability and user safety. 

Looking ahead 

The JLR incident underscores the urgent need to converge cybersecurity, privacy and operational resilience. With the emergence of regulations like the EU’s NIS2 Directive, the Digital Operational Resilience Act (DORA), and emerging U.S. state laws that elevate expectations, privacy and security teams must work hand-in-hand to ensure robust governance across the enterprise.  

As an experienced global outsourced Data Protection OfficerHewardMills supports businesses to take a proactive, integrated approach, backed by continuous monitoring, supplier engagement and transparent communicationThis approach ensures they arebest positionedto meet evolving regulatory demands and maintain trust in the face of cyber adversity.