JLR cyberattack pushes TCS to standardize security for top clients
The pilots mark a structured approach by TCS to incident response for marquee accounts, including JLR, as client exposure from cyber breaches rises.
NEW DELHI/BENGALURU: Tata Consultancy Services Ltd (TCS) is piloting standardized cybersecurity practices for its largest clients, forming dedicated teams and fixed response procedures to limit damage from cyberattacks, as one of its marquee customers, Jaguar Land Rover, faces a potential $1 billion hit from a prolonged data breach.
The breach halted production, exposed employee data, and has left the carmaker facing regulatory scrutiny and potential lawsuits.
According to at least two executives with knowledge of the matter, India’s largest IT services firm is forming six dedicated teams, comprising about 150 people in total, to run pilots of fixed cybersecurity procedures to mitigate damage in case of a cyberattack.
These procedures include video validation of employees who are in-charge of technical IT support, deploying AI tools to track hacker movement within an IT system, and embedding additional cybersecurity tools to ensure network security, according to one of the people with knowledge of the matter.
“The results of these pilots will be shown to all our clients and then incorporated in their IT systems," said one of the executives privy to the developments.
An email sent to TCS on Wednesday seeking comments went unanswered.
Damage control
The pilots follow a cyberattack on JLR in August that disrupted manufacturing operations and exposed personal data of employees and contractors. The breach has also caused reputational damage for the Tata Group, as TCS is handling the British carmaker’s backend IT work and both companies are part of the conglomerate.
The luxury carmaker confirmed the leak of personal data to Mint and said it is engaging with affected individuals and regulators.
“From the ongoing forensic investigation, JLR believes that certain data related to current and former JLR employees and contractors was affected by the cyber incident," a spokesperson of JLR told Mint. “We remain in dialogue with the relevant regulators, and we are in the process of contacting current and former employees and contractors as necessary."
JLR arranged access to credit for affected employees and vendors, along with a helpline, the spokesperson added.
TCS signed an IT transformation deal with JLR in September 2023. This five-year deal, valued at $1 billion, includes managing the car company’s back-end IT, cloud migration, cybersecurity, data services, and application development.
The attack stalled car production, repair, and maintenance across various JLR outlets, and prompted closer monitoring by Tata Group’s top leadership.
The situation was regularly reviewed by TCS chief operating officer Aarthi Subramaniam, according to one of the executives cited earlier. She was joined by Tata Sons chief digital officer Aparna Ganesh and Sudeep Mazumdar, vice-president and manufacturing head for TCS’s UK and Ireland business. The three leaders gave weekly updates to Tata Sons chairman Natarajan Chandrasekaran.
Financial hit
JLR bore the brunt of the impact. New chief executive P.B. Balaji acknowledged that the carmaker had taken a financial hit following the production stoppage, though experts believe costs could rise further due to regulatory fines and legal action.
In a post-earnings media briefing, Balaji said the company booked an exceptional loss of $150 million as vehicles were not produced during the period.
“The bigger impact in terms of production lost for this period being picked up, that's more a time-facing ramp of production, how much we can catch up on. So that's what we are hoping to pick up speed," Balaji had said on 14 November.
Balaji is now tasked with successfully recovering operations of the carmaker and getting the stock to its dealers on time, apart from dealing with the ramifications of the attack.
With the admission that employee data was breached, the company now faces the risk of regulatory fines and potential lawsuits from employees over exposure of sensitive information.
Independent analysts estimate the total hit could exceed $1 billion, ranking it among the costliest cyberattacks in the Tata Group’s history.
For Mumbai-based TCS, the JLR incident marked the third cyberattack involving its clients in a year, after British retailers Marks & Spencer and Co-operative Group Ltd. Similar to the breach at M&S, the attack on JLR occurred through IT vendors.
However, TCS’s management denied that attackers entered through its systems.
“As all of us know, global businesses are increasingly experiencing cyber-threats. These threats are getting more and more sophisticated. We are working closely with our customers to safeguard their interests. Recent incidents saw some of TCS’s clients becoming victims to these cyber-attacks resulting in severe disruptions to their businesses. I would like to clarify that there has been no compromise of TCS systems, nor any impact to other customers in all these incidents," Subramanian had said during the company’s post-earnings analyst call on 9 October.
Inside the breach
The genesis of the attack can be traced to the second week of August, when identities of certain third-party employees managing JLR’s IT infrastructure were compromised. The attackers, identified as Scattered Lapsus $ Hunters, launched a full-scale cyberattack in the last week of August on JLR’s IT systems.
The attack lasted around 45 days, with unauthorized access persisting for nearly a month. Hackers broke in through an unsecured SAP server and introduced software known as a web shell, which gave them backdoor access and allowed modification of JLR’s IT functions, according to the two executives cited earlier.
Mint has learnt that TCS engaged three companies–Unit 42 of Palo Alto Networks, Google Mandiant, and Fenix24–to counter the attack and support data restoration.
“New servers were set up, new computing equipment and storage were needed, and new racks were purchased to clean up the existing data racks. We had to order servers and terabytes of storage," said the second executive on condition of anonymity.
The executive added that the cyber attackers demanded a ransom, which TCS did not pay. Mint could not independently ascertain the ransom amount.
Legal exposure
Experts say the breach could expose JLR to regulatory penalties and employee lawsuits across jurisdictions, particularly due to the leak of payroll and personal data.
“Such data leaks in the past, where employees have been affected, have led to class action lawsuits against the company. Moreover, regulators could also impose stiff fines. There is also going to be reputational damage to the firm, leading to a longer-term impact on sales and resale value of their cars," said Saket Modi, co-founder and chief executive at Safe Security, a Palo Alto-based cyber risk quantification firm.
Modi estimates the cost of the JLR fallout at $1.5 billion as the company prepares to deal with the regulatory and legal ramifications of the crisis, along with business loss already due to the halt in manufacturing operations.
To be sure, the risk of such data leaks was identified in JLR’s latest annual report, which said the company was “committed to safeguarding our data assets through specialist data governance capabilities, ensuring all our data assets are owned, controlled and accessible across JLR, and our employees have the skills, tools, and support to enact."
JLR had 44,103 employees at the end of the 2025 financial year.
Legal experts note the breach could trigger multi-jurisdictional scrutiny for JLR, given its presence across the UK, the US, and India.
"Payroll information is among the most sensitive categories of personal data, encompassing identifiers, financial details, and employment records. Its compromise is treated by regulators not simply as a technical lapse, but as a serious violation of trust and compliance obligations," said Hardeep Sachdeva, senior partner at AZB & Associates.
A third legal expert voiced a similar opinion.
Aniket Ghosh, partner at King Stubb & Kasiva, Advocates and Attorneys, said that the admission of a payroll data breach has increased regulatory and legal risks for JLR.
"In the UK, JLR's headquarters jurisdiction, the breach triggers UK GDPR and Data Protection Act 2018 scrutiny, with the ICO now reviewing notification adequacy; severe security or reporting shortfalls could attract fines up to £17.5 million or 4% of global turnover, compounded by employee compensation claims for distress," he said.
Ghosh added that such incidents commonly trigger class-action lawsuits in the US, with state-specific protections available to employees.
"Compromised staff identifiers (SSNs, bank details) activate state-specific breach notification laws, commonly fuelling class actions that probe safeguard adequacy and future harm risks," he said, noting that India’s CERT-In mandates six-hour reporting of such incidents.
JLR has declined to disclose how many employees were affected or whether it anticipates regulatory or legal costs arising from the breach.
The fallout could strain Tata Motors’ balance sheet, as JLR contributed 71% of its ₹4.40 trillion revenue and 79% of its ₹55,216 crore operating profit last fiscal.
TCS, meanwhile, faces slowing growth, a lack of large deals, and client slippage to competitors. Additional one-time costs related to refreshing JLR’s data infrastructure could further pressure margins. TCS reported revenue of $30.18 billion last year, up 3.8% year-on-year, with operating margins of 24.3%, down 30 basis points.
topics
