The Automotive Industry Under Siege: How Ransomware and Supply Chain Attacks Devastated Major Carmakers in 2024-2025

Breached Company

11 Nov 2025 — 10 min read

Executive Summary

The automotive industry has emerged as one of the most targeted sectors for cyberattacks in 2024-2025, with major manufacturers including Volvo, Stellantis, Scania, Hyundai AutoEver, and Jaguar Land Rover suffering devastating breaches that exposed millions of records and caused billions in damages. These incidents reveal a troubling pattern: attackers are systematically exploiting supply chain vulnerabilities, cloud platform weaknesses, and social engineering tactics to penetrate even the most sophisticated automotive companies.

The Rising Threat Landscape

According to Upstream Security's 2025 Global Automotive Cybersecurity Report, the automotive industry experienced an unprecedented surge in cyber threats throughout 2024, with documented incidents rising from 295 in 2023 to 409 in 2024 - a 39% increase. More alarming still, incidents affecting millions of vehicles more than tripled, jumping from 5% in 2023 to 19% in 2024. This surge is part of a broader cybersecurity crisis affecting all sectors, with ransomware attacks rising by 126% globally.

The financial impact has been catastrophic. Industry analysts estimate that cyberattacks could cost the automotive sector up to $505 billion by the end of 2024, with some projecting losses reaching $10.5 trillion annually by 2025. These aren't just statistics - they represent real disruption to manufacturing, compromised customer data, and cascading supply chain failures that threaten the entire automotive ecosystem.

Major Attacks That Shook the Industry

The automotive industry's vulnerability became painfully clear during the CDK Global ransomware attack in June 2024, which paralyzed 15,000 dealerships across North America for nearly two weeks. This attack, which ultimately cost the industry over $1 billion collectively, served as a harbinger for the devastating breaches that would follow throughout 2024-2025.

Volvo Group: A Swedish Nightmare (August-September 2025)

The Volvo Group North America breach stands as a textbook example of third-party risk materialization. In August 2025, Swedish HR software provider Miljödata fell victim to the DataCarry ransomware group, exposing data from approximately 870,000 email addresses across Sweden's public and private sectors.

For Volvo, this meant the exposure of current and former employees' names and Social Security numbers. The attack's sophistication lay not in its technical complexity but in its targeting - by compromising a single HR provider, attackers gained access to data from 25 major corporations, 200 Swedish municipalities, and multiple universities. The DataCarry group initially demanded 1.5 bitcoins (approximately $168,000) but ultimately published the data on the dark web when Volvo and other victims refused to pay.

This wasn't Volvo's first rodeo with cybercriminals. Earlier incidents included the Snatch ransomware group's theft of R&D data and the Endurance ransomware gang's compromise of confidential vehicle information, including police car specifications and tender details.

Stellantis: The Salesforce Campaign (September 2025)

Stellantis, the automotive giant behind brands like Jeep, Chrysler, Fiat, and Maserati, became ensnared in the massive Salesforce data breach orchestrated by the ShinyHunters extortion group. The September 2025 attack exposed over 18 million customer records from North America, including names, addresses, phone numbers, and email addresses. This attack was part of a broader campaign targeting Salesforce instances that affected hundreds of companies globally.

What makes this breach particularly significant is its methodology. ShinyHunters didn't directly hack Stellantis - instead, they exploited stolen OAuth tokens from Salesloft's Drift AI chat integration with Salesforce. This allowed them to access not just Stellantis but hundreds of companies' Salesforce instances. The group claimed to have stolen over 1.5 billion Salesforce records from 760 companies total, demonstrating the cascading impact of cloud platform vulnerabilities. This attack exemplified the Q1 2025 trend of supply chain attacks that would define the year.

The FBI issued emergency warnings about these attacks, noting that threat actors were using sophisticated social engineering, particularly voice phishing (vishing), to convince victims to download malicious third-party apps or reveal credentials.

Scania: Insurance Platform Compromise (May-June 2025)

Swedish truck and bus manufacturer Scania confirmed a serious breach of its insurance.scania.com platform in May 2025. The attack, claimed by threat actor "hensi," resulted in the theft of approximately 34,000 insurance-related files containing personal, financial, and potentially medical data.

The attackers gained access using stolen credentials from an external IT partner, likely obtained through password-stealer malware. When Scania refused ransom demands, portions of the data were published on dark web forums. The company immediately disabled the affected application and launched an investigation, but the damage was done - sensitive insurance claim documents were now in criminal hands.

Hyundai AutoEver America: Nine Days of Exposure (February-March 2025)

Hyundai's IT services arm, Hyundai AutoEver America (HAEA), suffered a breach that potentially affected 2.7 million vehicle owners. Between February 22 and March 2, 2025, attackers maintained unauthorized access to HAEA's systems, stealing names, Social Security numbers, and driver's license information.

The breach is particularly concerning given HAEA's role in providing IT solutions for the entire Hyundai Motor Group, including vehicle telematics, over-the-air updates, and autonomous driving systems. The company services 2.7 million cars and supports critical automotive IT infrastructure across North America.

This incident adds to Hyundai's growing list of cybersecurity failures, following the 2024 Black Basta ransomware attack on its European operations that resulted in 3TB of data theft.

Jaguar Land Rover: The Billion-Dollar Disaster (August-October 2025)

The Jaguar Land Rover cyberattack represents the most economically devastating automotive cyber incident in British history. Beginning on August 31, 2025, the attack forced a complete production shutdown across all JLR facilities globally, lasting over a month and costing an estimated £50 million per week.

The Scattered Lapsus$ Hunters group claimed responsibility, using sophisticated social engineering techniques including vishing campaigns to trick employees into revealing credentials. As detailed in our comprehensive analysis of the JLR breach, the attack's impact cascaded through JLR's supply chain of 104,000 UK workers, with smaller suppliers forced to lay off staff as payments dried up. The UK government ultimately had to back a £1.2 billion loan to help JLR pay its suppliers.

Security analysts estimate total losses between $1.2-1.9 billion - more than 50% of JLR's 2024 net profit. The Bank of England cited the attack as a factor in slower GDP growth, underlining its macroeconomic significance.

Common Attack Patterns and Vulnerabilities

Supply Chain as the Weakest Link

Analysis of these incidents reveals that 67.3% of automotive cyber incidents in 2024 targeted suppliers rather than OEMs directly. Attackers recognize that smaller suppliers often have weaker security controls but maintain privileged access to larger manufacturers' systems. The Miljödata, Salesforce, and third-party insurance platform breaches all demonstrate this supply chain exploitation strategy. As noted in our 2025 Cyber Security Resilience analysis, while companies have improved their own security, controlling the risk of breaches at IT suppliers and partners remains a significant challenge.

Cloud and API Vulnerabilities

Telematics and application servers were involved in 66% of all automotive cyber incidents in 2024. These systems, essential for modern connected vehicles, store vast amounts of sensitive data including location information, driving behavior, and personal details. Their API-driven architecture and cloud dependencies create multiple attack vectors that criminals eagerly exploit.

The Rise of Ransomware-as-a-Service

Groups like DataCarry, Black Basta, and Scattered Lapsus$ Hunters represent a professionalization of cybercrime. These organizations operate with business-like efficiency, offering ransomware-as-a-service platforms, maintaining customer support for victims, and even issuing press releases about their attacks. In 2024, over 100 ransomware attacks targeted the automotive sector, with 214 resulting in data breaches. The dismantling of BlackSuit ransomware, responsible for the CDK Global attack, marked a rare victory for law enforcement, though new groups quickly filled the void.

Traditional technical defenses are increasingly circumvented through human manipulation. Vishing campaigns, where attackers impersonate IT support or trusted vendors, have proven devastatingly effective. The JLR attack demonstrates how a simple phone call can bypass millions in security investments.

The Broader Implications

Manufacturing Disruption

The JLR case study reveals how cyber incidents can cripple physical production. When IT systems controlling manufacturing execution, logistics, and supplier portals go down, assembly lines grind to a halt. Even without direct operational technology (OT) compromise, IT disruption alone can stop production for weeks.

Financial Cascade Effects

Beyond direct losses, these attacks create rippling financial impacts. JLR's shutdown affected 79% of West Midlands businesses, with 14% making redundancies within weeks. Stock prices drop, insurance premiums rise, and recovery costs mount. CDK Global's 2024 ransomware attack affected 15,000 dealerships for three weeks, demonstrating sector-wide vulnerability. As discussed in our analysis of third-party dependencies and critical infrastructure, when a single vendor like CDK Global goes down, the entire ecosystem collapses - dealerships couldn't even register vehicles at the DMV because those integrations depended on CDK's systems.

Regulatory Response Acceleration

The severity of 2024-2025 attacks has prompted unprecedented regulatory action. The US Department of Commerce proposed banning connected vehicles using Chinese or Russian hardware/software, citing national security concerns. Europe is following suit, while industry-specific regulations like UN R155 and ISO/SAE 21434 are being rapidly adopted.

Defense Strategies and Lessons Learned

Zero Trust Architecture

The assumption that perimeter defenses are sufficient has been thoroughly debunked. Organizations must implement zero-trust principles, verifying every connection regardless of source and limiting lateral movement potential.

Supplier Risk Management

Comprehensive vendor assessments, including mandatory penetration testing and real-time security monitoring, are no longer optional. Contracts must enforce strict breach notification timelines and regular compliance audits. The Volvo-Miljödata incident shows how a single weak supplier can compromise multiple major corporations.

Incident Response Preparedness

The difference between JLR's month-long shutdown and quicker recoveries elsewhere often comes down to incident response maturity. Organizations need tested playbooks, offline backups, and clear communication protocols. The ability to quickly isolate affected systems while maintaining some operational capacity can mean the difference between millions and billions in losses.

Investment in vSOCs

Vehicle Security Operations Centers (vSOCs) are emerging as critical infrastructure for automotive cybersecurity. These specialized facilities monitor vehicle fleets in real-time, detecting anomalies and responding to threats before they escalate. Investment in vSOC capabilities increased by over 40% in 2024.

AI-Powered Defense and Attack

Both defenders and attackers are rapidly adopting AI technologies. While criminals use AI to craft more convincing phishing emails and automate attack campaigns, defenders deploy AI for threat detection, anomaly identification, and automated response. This AI arms race will likely define automotive cybersecurity's future.

Looking Ahead: 2025 and Beyond

The automotive industry stands at a critical juncture. By 2025, over 400 million connected cars will be in operation, each a potential attack vector. The integration of AI, autonomous driving systems, and vehicle-to-everything (V2X) communication exponentially expands the attack surface.

China's growing dominance in the EV market adds geopolitical complexity, with Western governments increasingly viewing automotive cybersecurity through a national security lens. The proposed bans on Chinese automotive technology reflect fears that vehicles could become surveillance platforms or be remotely disabled during conflicts.

Industry projections suggest the automotive cybersecurity market will grow from $3.52 billion in 2024 to $10.42 billion by 2034, representing an 11.6% CAGR. This investment is not optional - it's essential for survival in an industry where a single breach can cost billions and threaten entire supply chains.

Critical Takeaways

Third-party risk is first-party risk: The majority of major breaches originated through suppliers, not direct attacks on OEMs.
Cloud platforms are double-edged swords: While enabling innovation and connectivity, cloud dependencies create systemic vulnerabilities affecting entire industries.
Ransomware is industrializing: Criminal organizations now operate with corporate efficiency, making attacks more frequent and damaging.
Recovery costs dwarf ransom demands: JLR's billion-dollar losses from operational disruption far exceeded any ransom amount, highlighting the true cost of inadequate preparation.
Regulatory compliance isn't enough: Companies meeting all regulatory requirements still suffered massive breaches, indicating that compliance is a floor, not a ceiling, for security.

Conclusion

The 2024-2025 automotive cybersecurity crisis represents a watershed moment for the industry. The attacks on Volvo, Stellantis, Scania, Hyundai AutoEver, and Jaguar Land Rover aren't isolated incidents - they're symptomatic of fundamental vulnerabilities in how the modern automotive ecosystem operates.

As vehicles become rolling computers and supply chains digitize further, the attack surface will only expand. The companies that survive and thrive will be those that treat cybersecurity not as a cost center but as essential infrastructure for business continuity. The alternative, as JLR's billion-dollar disaster demonstrates, is catastrophic disruption that threatens not just individual companies but entire national economies.

The automotive industry must shift from reactive defense to proactive resilience, from compliance-focused to threat-informed strategies, and from isolated security to ecosystem-wide collaboration. The criminals have already industrialized - it's time for automotive cybersecurity to do the same.

This analysis is based on publicly reported incidents and industry reports through November 2025. As the threat landscape evolves rapidly, organizations should consult current threat intelligence for the latest information.