Who claimed responsibility for the JLR data breach?

Hudson Rock researchers have reported that a threat actor identified as 'Rey' claimed responsibility for the breach. Additionally, a second threat actor operating under the nickname 'APTS' emerged with separate claims of breaching JLR's systems.

What information was exposed in the JLR data breach?

According to claims, approximately 700 internal JLR documents were compromised in the attack. The leaked data reportedly includes development logs, tracking data, proprietary source codes, and an employee dataset containing usernames, email addresses, display names, and time zone information.

How did HELLCAT gain access to JLR's systems?

HELLCAT's attack against JLR appears to follow their established attack pattern of targeting Atlassian Jira instances using stolen credentials. The group likely gained initial access through compromised Jira credentials, similar to their recent attack against Telefonica.

What is the financial impact of the JLR breach?

The financial impact of the breach has not been disclosed.

Incident

Jaguar Land Rover hit by HELLCAT ransomware group

Q: Was additional data stolen by the second threat actor?

Yes, the threat actor 'APTS' claimed they had also gained access to JLR's systems using the same infostealer credentials and had stolen an even greater quantity of data. This additional data leak is estimated at approximately 350 gigabytes and reportedly contains information not included in Rey's data dump.

Q: How many individuals were affected by the JLR breach?

The total number of affected individuals has not been disclosed. However, researchers have confirmed that some of the exposed data contains information about legitimate JLR employees from global operations.

Q: Has HELLCAT targeted other major corporations?

Yes, the attack follows patterns similar to previous attacks by the same group against major corporations including Telefonica, Schneider Electric, and Pinger.

Q: What are the risks to JLR employees whose data was exposed?

The exposure of employee data raises significant concerns about potential identity theft and targeted phishing campaigns against JLR employees.

published: March 25, 2025

Learn More

Jaguar Land Rover (JLR) has fallen victim to the HELLCAT ransomware group. The attack has resulted in the exposure of sensitive internal documents and employee data on hacking forums, following patterns similar to previous attacks by the same group against major corporations including Telefonica, Schneider Electric, and Pinger.

Hudson Rock researchers have reported that a threat actor identified as "Rey" claimed responsibility for the breach. According to Rey's claims, approximately 700 internal JLR documents were compromised in the attack. The leaked data reportedly includes:

Development logs
Tracking data
Proprietary source codes
Employee dataset containing usernames, email addresses, display names, and time zone information

Researchers have confirmed that some of the exposed data contains information about legitimate JLR employees from global operations, raising significant concerns about potential identity theft and targeted phishing campaigns.

A second threat actor operating under the nickname "APTS" emerged on the forum with separate claims. APTS stated they had also gained access to JLR's systems using the same infostealer credentials and had stolen an even greater quantity of data. This additional data leak is estimated at approximately 350 gigabytes and reportedly contains information not included in Rey's data dump.

HELLCAT's attack against JLR appears to follow their established attack pattern of targeting Atlassian Jira instances using stolen credentials. According to Hudson Rock's cybercrime intelligence database, which contains information on over 30 million systems infected with infostealers, thousands of companies have Jira-related compromised credentials from infostealer infections.

The total number of affected individuals and the financial impact of the breach have not been disclosed.

The group likely gained initial access through compromised Jira credentials, similar to their recent attack against Telefonica where they exploited the telecommunications company's Jira platform at "jira.globalsap.telefonica.com".

Once inside a network, HELLCAT deploys a series of PowerShell scripts that establish persistence through registry modifications,

Jaguar Land Rover hit by HELLCAT ransomware group

Read More
Greece's Land Registry reports hundreds of hacker attacks, …
Crunchyroll addresses series of user account breaches, claims …
Cloud-based hotel management platform Otelier hit by data …
Healthcare tech company Veradigm data breach exposed patient …
Black Nevas ransomware group claims data theft from …