SecureFact – Cyber Security News – Week of September 29, 2025

The UK Government provided Jaguar Land Rover with a £1.5 billion loan guarantee to restore its supply chain after a catastrophic cyberattack forced the automaker to halt production.
The attack caused severe disruption to JLR’s IT systems and manufacturing operations, leading to suspended production across multiple plants. Attackers successfully stole data from JLR’s systems, with the company later confirming data theft occurred during the incident.
The attack was so severe that JLR was forced to extend its shutdown by another week as it recovered systems.
A group calling itself “Scattered Lapsus$ Hunters” claimed responsibility, posting screenshots of internal HOSTS files from JLR SAP systems and claiming to have deployed ransomware across the company’s network.
The threat actors are believed to be linked to Scattered Spider, Lapsus$, and ShinyHunters groups. JLR failed to finalize its cyber insurance policy prior to the attack, making the government loan guarantee crucial for recovery.
The loan will be repaid over five years and provides cash relief to pay suppliers and restore the supply chain.
JLR employs 34,000 people directly and supports around 120,000 jobs through its supply chain, making it one of the UK’s largest exporters.

An unsecured Amazon cloud server exposed over 273,000 bank transfer records, revealing account numbers, transaction amounts, and personal details such as names, phone numbers, and emails.
The data was formatted for National Automated Clearing House (NACH) requirements, but the leak did not originate from NPCI systems. A total of 38 banks and lenders were involved, with Aye Finance accounting for nearly 60% of the records and State Bank of India for 24%.
The exposed documents included unsigned ACH mandate applications, rather than highly sensitive identifiers like Aadhaar or PAN. UpGuard discovered and reported the breach on August 26, 2025, but it took several days for CERT-In to secure the data.
No single party has accepted responsibility, referencing the complexities of the NACH financial ecosystem. The incident underscores the ongoing risks from third-party and cloud misconfigurations in banking.

Automotive manufacturing giant Stellantis confirmed that attackers stole North American customer data after gaining access to a third-party service provider’s platform.
The ShinyHunters extortion group claimed responsibility and told BleepingComputer they had stolen over 18 million Salesforce records from the company’s instance. The stolen data includes names and contact details of customers, though the compromised platform was not used to store financial or other sensitive personal information.
This attack is part of a recent wave of Salesforce data breaches linked to ShinyHunters affecting numerous high-profile companies throughout 2025.
The threat actors used voice phishing attacks and stolen OAuth tokens for Salesloft’s Drift AI chat integration with Salesforce.
Stellantis activated incident response protocols immediately upon discovery and initiated a comprehensive investigation.
The company is notifying appropriate authorities and directly informing affected customers.
Customers are advised to be cautious of potential phishing attempts and refrain from clicking suspicious links or sharing personal information when receiving unexpected communications.

US gaming and casino operator Boyd Gaming Corporation disclosed it suffered a breach after threat actors gained access to its systems and stole data.
The company operates 28 gaming properties across ten states and employs over 16,000 people with annual revenue of $3.9 billion in 2024.
The unauthorized third party removed certain data from Boyd Gaming’s IT systems, including information about employees and a limited number of other individuals.
The company worked with external cybersecurity experts to respond to the attack and notified law enforcement agencies.
Boyd Gaming is notifying impacted individuals and has informed various regulators and governmental agencies as required.
The incident has not affected the company’s operations and is not anticipated to have a material adverse impact on financial condition. The company has cybersecurity insurance expected to cover costs associated with the incident.
No specific details were provided about the volume or types of personal data compromised. No ransomware gangs or other threat actors have claimed responsibility for the attack at the time of disclosure.

UK luxury retail giant Harrods disclosed a new cybersecurity incident after hackers compromised a third-party supplier and stole 430,000 records containing sensitive e-commerce customer information.
The breach exposed customer names and contact details, with some records also including internal marketing tags and labels related to services provided by Harrods. Some customer records contained tier level information or affiliation to Harrods co-branded cards, though this information is unlikely to be interpreted accurately by unauthorized third parties.
The leaked data does not include account passwords, payment information, or order histories, limiting exposure to basic personal identifiers. The threat actors contacted Harrods directly, likely in an attempt to extort the company, but Harrods stated it would not engage in communication with the attackers.
Harrods proactively informed affected e-commerce customers and notified all relevant authorities, working closely with them on the investigation. The company continues efforts to inform and support exposed customers while advising them to stay vigilant for phishing attacks and social engineering attempts.
This incident is separate from the May 2025 cyberattack attributed to Scattered Spider that was successfully blocked.