Jaguar Land Rover hacked, 350 GB data leaked, report

Hack by ransomware gang Hellfire used compromised JIRA credentials

Jaguar Land Rover (JLR) was reportedly hacked last week, with data including plans, source code and employee details stolen.

The breach was reported by Hudson Rock CTO Alon Gal, who said in a blog post that the Hellcat ransomware group has claimed responsibility for “leaking gigabytes of sensitive information including proprietary documents, source codes, and employee and partner data.”

The blog includes a screenshot of a post on dark web site BreachForums by a hacker named “Rey”, claiming that 700 documents were taken.

According to Gal, the attackers exploited Atlassian JIRA credentials that had been stolen from employees using infostealer malware over several years.

JIRA is a frequently used tool to allow third-parties to collaborate remotely in software development and other projects.

Following the initial breach by Rey, a second threat actor, “APTS,” posted a tranche of 350 GB data said to be from JLR, claiming to have exploited the same JIRA credentials.

According to Gal, this breach follows an established playbook seen previously in attacks on Schneider Electric, Telefonica and Orange.

“Infostealer malware—such as Lumma, which was implicated in the Schneider Electric breach—silently infects employees’ devices, often through phishing emails, malicious downloads, or compromised websites,” he wrote.

“Once embedded, the malware exfiltrates sensitive data, including login credentials for corporate systems. These stolen credentials are then sold or hoarded on the dark web, waiting for threat actors like Rey and ‘APTS’ to exploit them.”

He added that many of the compromised JIRA credentials were old, being logged in threat intelligence databases for several years, suggesting that the company had not rotated them or removed old logins.

“The credentials they harvest can remain viable for years, especially if companies fail to implement robust monitoring, multi-factor authentication (MFA), or timely credential rotation,” Gal noted.

The Hellcat group first emerged in 2024 and has targeted telecoms companies, universities and energy companies.

Commenting on the apparent breach, head of business product at NordPass, Karolis Arbaciauskas, said: “If vehicle tracking data, development logs, source code, and employee details were indeed stolen, it’s a big deal.

“Such materials are usually highly sensitive, so the consequences can vary from reputational damage to loss of competitiveness and large sums of money.

“Just imagine – your company has poured millions into R&D, and one day, someone just steals it all and sells it to your competitors for a fraction of what you invested.”

JLR has not yet commented on the reported breach.

Want to know more? Computing 's Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.