Jaguar Land Rover suffered a significant data breach. Two hackers are said to have exploited stolen Jira credentials, leaking sensitive information. The leaked data, including source code, employee details, and proprietary documents.
Jaguar Land Rover Breached
In early March 2025, Jaguar Land Rover (JLR), a UK-based luxury car manufacturer, reportedly suffered a significant data breach. This breach involved two distinct threat actors: the HELLCAT ransomware group, also referred to as “Rey,” and a second hacker identified as “APTS.”
While the exact date of the breach is not explicitly stated, it is clear that the incident was recent. On the other hand, the credentials exploited by APTS dated back to 2021, suggesting a long-term vulnerability. For instance, a report corroborates the exposure of source code and employee details, while another website mentions the leak of 700 internal documents by Rey.
Threat Actors and Their Methods
As I said above, the breach involved two primary actors: HELLCAT (Rey) and APTS. HELLCAT employs its “infostealer-playbook” strategy, using infostealer malware to collect credentials. It focuses on Jira systems, which are integral to enterprise operations, making the stolen data highly valuable for further attacks.
Infostealer malware, such as Lumma, infects devices through phishing, malicious downloads, or compromised websites, exfiltrating login credentials that are often sold or hoarded on the Darknet. APTS followed a similar approach, exploiting the same type of credentials to access JLR’s systems.
The article also specifies that the credentials used were from a compromised LG Electronics employee (his email ending with «[email protected]») with third-party access to JLR’s Jira server. These credentials, detected in Hudson Rock’s database since at least 2018, were viable as of 2021. Hudson Rock, a cybercrime intelligence provider, reported over 30,000,000 computers infected with infostealers, with thousands of companies, including JLR, having compromised Jira credentials from these infections.
Data Leaked and Scale
How about scale, the scale of the data breach is significant, with Rey leaking hundreds of internal files and gigabytes of Jira issues, though the exact size is not specified. APTS, on the other hand, leaked an additional 350 gigabytes of data, including proprietary documents, source codes, employee data, and partner information.
This additional leak was confirmed through a screenshot of a Jira dashboard shared by APTS. Some reports mention approximately 700 internal documents leaked by Rey, including development logs and tracking data.
Implications and Broader Context
The breach has significant implications for JLR and the broader cybersecurity landscape, which is obvious. The leaked data, particularly source codes and employee details, poses risks for further attacks, such as phishing campaigns or intellectual property theft.
AI could amplify the impact of such large breaches, making stolen data more valuable for cybercriminals. And it’s all given JLR’s size, with nearly 39,000 employees and over $37 billion in revenue in the previous year. The incident also shows the vulnerability of Jira systems for enterprise operations. And it is worth holding in mind, considering how widespread it is in modern day software engineering.
Among JLR, there are previous victims of infostealer campaigns, including Telefónica, Schneider Electric, and Orange. For example, the Telefónica breach discusses similar tactics. One detail is the longevity of the exploited credentials, dating back to 2018 and remaining viable until at least 2021.
This long-term vulnerability, detected by Hudson Rock’s database, illustrates how stolen credentials can persist for years if not monitored, posing a continuous risk to organizations. This is particularly relevant for companies relying on third-party access, as seen with the LG Electronics employee’s credentials.
