Tuesday, June 23, 2026. 8:00 AM IST.
A new shift was beginning at one of India’s largest vehicle manufacturers. Workers arriving. Systems booting up. The familiar rhythm of a production day starting.
That is when Bajaj Auto’s security team detected it. Ransomware, already active, spreading through the company’s IT infrastructure. Not at 3 AM. Not on a weekend when the building is empty. At the start of an ordinary working day, in plain sight of an organisation that responded immediately and well.
The company disclosed the breach in a regulatory filing, confirming that the attack had affected its IT infrastructure and BATL’s systems. After detecting the intrusion, the company’s internal technical team, external cybersecurity experts, and senior management responded immediately to contain the incident. CISO Whisperer
By the time the Indian markets processed the regulatory filing, shares of Bajaj Auto fell by more than 2% during the trading session immediately following the public announcement, reflecting investor anxiety regarding potential operational delays or digital vulnerabilities. CISO Whisperer
Ransomware at 8 AM. Stock price reaction before lunch.
That sequence is the story that every Indian manufacturer, listed or unlisted, needs to sit with. Not just the technical incident. The speed at which a cybersecurity event became a board governance and market disclosure event.
Why BATL Was the Real Target
The incident affected systems at Bajaj Auto and Bajaj Auto Technology Limited, a subsidiary focused on technology development, engineering and research. Cyber Security News
That detail matters more than most coverage has acknowledged.
BATL is not Bajaj Auto’s email server. It is not a back-office finance function. It is the technology subsidiary that handles engineering, research and development, and the digital systems that underpin how Bajaj Auto designs, develops, and manufactures its vehicles. The Pulsar’s engine mapping. The Chetak EV’s software systems. The R&D infrastructure behind KTM’s Indian manufacturing. All of this lives in the technology layer that BATL supports.
Attackers who target a manufacturer’s technology subsidiary are not going for convenience. They are going for the highest-value data and the highest-leverage infrastructure simultaneously. The engineering IP is worth more than the corporate email archive. And the technology systems that connect corporate IT to the production environment are worth more than either.
When ransomware reaches a technology subsidiary like BATL, it is not standing at the edge of the IT environment. It is standing at the door of the factory floor.
The IT/OT Myth That Gets Indian Manufacturers Hurt
There is a belief, genuinely held and frequently repeated in Indian manufacturing boardrooms, that goes like this: “Our assembly line runs on a separate network. If IT is attacked, production continues.”
This belief was reasonable in 2010. It is dangerously outdated in 2026.
Modern manufacturing lines do not operate in isolation from corporate IT. They depend on it continuously. An Enterprise Resource Planning system manages parts sequencing, bill-of-materials validation, and just-in-time inventory. A Manufacturing Execution System translates production orders into floor-level instructions. Quality management systems, maintenance scheduling, logistics coordination, supplier order management: all of these sit in corporate IT and feed directly into what happens on the factory floor.
A physical assembly line cannot run without active instructions from an ERP system or MES. If a ransomware attack encrypts the corporate IT database that feeds the MES, the assembly line stops immediately. This is not because the PLCs are encrypted, but because the machines no longer know what to build, which component to sequence next, or where to route the finished product.
Bajaj Auto has not confirmed production disruption. That is a credit to the speed of their response. But the structural dependency exists regardless of whether this specific attack reached it. Even when operational impact is not immediately confirmed, ransomware affecting IT infrastructure can quickly create risk for production planning, supply chain coordination, logistics, finance, and customer-facing services. skeletos
The question Indian manufacturers need to answer honestly is not “were we disrupted this time?” It is “could we have been, and what would it have cost us per hour?”
For a manufacturer operating at Bajaj Auto’s scale, production interruption cost runs to crores per hour. That arithmetic makes network segmentation, the control that limits how far ransomware can travel from corporate IT toward production systems, one of the highest-return security investments available.
The SEBI Disclosure Moment Changes Everything
The regulatory disclosure is also notable. Bajaj Auto notified CERT-In and disclosed the event under SEBI requirements, showing how ransomware incidents now intersect with cybersecurity reporting, investor transparency, and corporate governance. skeletos
This is a genuinely new dimension in Indian manufacturing cybersecurity, and most CISOs at listed companies have not fully absorbed what it means operationally.
Under SEBI’s requirements, material cybersecurity incidents must be disclosed to stock exchanges. The definition of material is not limited to confirmed data theft or production shutdown. An active ransomware attack on a company’s IT infrastructure, particularly one affecting a technology subsidiary handling R&D, meets the threshold.
Bajaj Auto’s decision to disclose on the same day the attack was detected was the right governance call. But it also means that every listed Indian manufacturer now operates in an environment where a ransomware event detected at 8 AM becomes a market event by 11 AM.
The board members and CFOs of listed manufacturers who are reading this blog need to understand that this is no longer a conversation that can wait for the quarterly IT review. When a ransomware attack becomes a SEBI disclosure, the board is in the story whether they want to be or not.
This is the specific gap that a CXO-level dashboard addresses. A CFO or board member who needs to rely on a phone call from the CISO to understand their exposure in a live incident is a board member making decisions without data. FacctorX gives leadership the real-time operational visibility that transforms a reactive board call into an informed decision.
One Week. Two Indian Manufacturing Giants. One Pattern.
This made Bajaj Auto the latest major Indian manufacturer to face a significant cyber threat amid a surge in ransomware attacks targeting industrial and automotive companies. Shieldworkz
The Bajaj Auto attack was confirmed just one day after Tata Electronics disclosed its own breach, which we covered in our previous blog. Two of India’s most prominent manufacturers. One week. Two separate incidents with no confirmed connection.
There is no indication so far that the ransomware attack on Bajaj Auto is connected to the Tata Electronics incident. Cyber Security News
The absence of a connection is actually the more unsettling finding. These are not coordinated attacks on India’s manufacturing sector by a single group. They are separate campaigns by separate actors arriving in the same week because India’s manufacturing sector has become a high-value, high-volume target in global ransomware economics.
India’s manufacturing output is growing. Global supply chains are shifting production here. Indian manufacturers are investing in digitalization, connecting more systems, deploying more software, integrating more cloud tools. Every one of those investments creates value for the business and creates an attack surface for adversaries.
The ransomware groups know this. They are not targeting Indian manufacturers out of geopolitical strategy. They are targeting them because the return on investment is there.
What Every Indian Manufacturer Must Do This Week
- Map the real IT/OT dependency in your environment: Do not rely on your network diagram from two years ago. Conduct a live audit of which corporate IT systems your production floor actually depends on. ERP, MES, quality management, logistics systems, supplier portals. For each, identify what happens to production output if that system is encrypted for 48 hours. This is the blast radius map that determines where segmentation investment goes first.
- Segment your technology subsidiary from your corporate IT network: Security teams should review access paths between parent companies, technology subsidiaries, shared platforms, and operational environments to limit lateral movement during ransomware incidents. skeletos.
BATL was targeted because it is connected to Bajaj Auto’s network. Every Indian manufacturer with a technology subsidiary, an R&D unit, or a digital transformation division connected to the same corporate network has the same exposure. EasyNAC creates the network visibility and segmentation layer that limits what ransomware can reach from any single entry point, without requiring switch changes or network reconfiguration.
- Protect East-West movement specifically: As our Tata Electronics blog established, and as the ransomware propagation pattern in manufacturing attacks confirms, attackers do not stay in one place. They move laterally through the network seeking the highest-value targets: ERP databases, engineering file servers, backup repositories. Segmentation that blocks East-West movement between network zones is the specific control that changes the blast radius from catastrophic to contained.
- Test your CERT-In notification capability before an incident: Bajaj Auto confirmed that it has reported the ransomware attack to CERT-In, India’s national cybersecurity incident response agency.
India’s CERT-In requires notification within six hours of a confirmed incident. Most Indian manufacturers have no practiced, documented process for this. The first time you run a six-hour notification cycle should not be during an active attack. Run a tabletop exercise this quarter. Know who calls CERT-In, what information they need, and what the documentation workflow looks like.
- Build a SEBI disclosure protocol if you are a listed company: If your company is listed, a material cybersecurity incident requires disclosure to the stock exchanges. This process needs to be defined and practiced before it becomes urgent. Who makes the materiality determination? Who drafts the exchange filing? What does legal review look like under time pressure? Bajaj Auto handled this well. Not every company will be as prepared.
- Validate your backup isolation covers both IT and OT recovery paths: Recovering an enterprise IT environment is completely different from restarting a complex industrial asset. Organizations need to validate whether recovery can be executed effectively under pressure, not just whether backups exist.
A backup that restores your ERP in four hours but cannot restore the configuration of your MES for 72 hours is a backup that leaves your factory floor dark for three days. Test both recovery paths independently.
- Treat technology subsidiaries as high-value targets requiring distinct security posture: An R&D subsidiary that shares a flat network with corporate IT is the easiest path from email server to engineering database. Apply separate access policies, logging, and monitoring to subsidiary systems. The lateral movement pattern that allowed ransomware to reach BATL from Bajaj Auto’s primary IT is the same pattern that EasyNAC’s network segmentation enforcement breaks at the architecture level.
The Broader Pattern
India processed two major manufacturing breach disclosures in less than 72 hours. Both involved established, well-resourced organisations with security teams that responded promptly. Both resulted in attacks that penetrated corporate IT and, in at least one case, reached a technology subsidiary with R&D and engineering access.
The response by Bajaj Auto was fast and apparently effective. The response by Tata Electronics was similarly professional. Neither speed of response nor quality of containment prevented the initial breach from occurring.
That is the data point Indian manufacturing CTOs and CISOs need to take to their boards. The question is not whether you will respond well when this happens. The question is whether your architecture limits what the attacker can reach before your response activates.
Network segmentation, device visibility, and lateral movement controls are the architectural layer that changes that equation. They do not prevent every attack. They determine how much of your environment an attacker can reach in the hours before your incident response team shuts them down.
Final Thought
That is not a failure of detection speed. Bajaj Auto found it at 8 AM and disclosed it by the close of business. That is a fast, well-managed response.
The question the Bajaj Auto incident leaves behind is not about response. It is about architecture. How did the ransomware travel from its initial entry point to BATL? What network path allowed it to reach the technology subsidiary that handles engineering and R&D?
The answer to that question is in the network topology. In the connections between segments that should have been controlled but were not. In the lateral movement path that good segmentation would have broken before BATL was in scope.
India is building its position as a global manufacturing hub. Bajaj, Tata, Mahindra, dozens of component manufacturers. That ambition comes with a security responsibility that the threat landscape is now testing, visibly and repeatedly, at the highest level.
The factory floor and the IT room are not separate anymore. The network that connects them needs to be designed with that reality in mind.
At Skeletos IT Services, we help Indian manufacturers build the network segmentation and device visibility layer that limits what ransomware can reach from any single entry point. EasyNAC deploys without switch changes or reconfiguration, giving your IT team real-time visibility into every device on your network and policy-enforced segmentation between corporate IT, technology subsidiaries, and operational technology. If you want to understand how far a ransomware attack could travel in your current environment, we can show you in 30 minutes.
FAQ BLOCK
Q: What happened in the Bajaj Auto ransomware attack of June 2026?
A: On June 23, 2026, Bajaj Auto detected an active ransomware attack at approximately 8:00 AM IST affecting its primary IT infrastructure and Bajaj Auto Technology Limited, its wholly owned technology subsidiary focused on engineering, R&D, and technology development. The company notified CERT-In and made a SEBI regulatory disclosure the same day. Bajaj Auto reported containment measures as successful, but did not confirm whether data was stolen or production was disrupted.
Q: What is the IT/OT convergence risk for Indian manufacturers?
A: IT/OT convergence refers to the dependency between corporate information technology systems and operational technology on the factory floor. Modern manufacturing lines depend on ERP and MES systems running on corporate IT to manage parts sequencing, production orders, and inventory. If ransomware encrypts corporate IT systems that feed the factory floor, production stops even if the physical machines are untouched. Indian manufacturers who believe their factory floor is isolated from their corporate network typically have hidden dependencies they have never mapped.
Q: How does EasyNAC help manufacturers protect against ransomware like the Bajaj Auto attack?
A: EasyNAC provides real-time network visibility and policy-based segmentation that limits how far ransomware can travel from its initial entry point. By identifying every device on the network and enforcing access controls between network segments, EasyNAC prevents lateral movement from corporate IT into technology subsidiaries or operational systems. It deploys without switch changes or network reconfiguration, making it practical for manufacturers to deploy across multiple facilities quickly.
Q: Does the Bajaj Auto attack require SEBI disclosure?
A: Yes. SEBI requires listed companies to disclose material cybersecurity incidents to stock exchanges. Bajaj Auto made a regulatory exchange filing on the same day the attack was detected, June 23, 2026, causing a 2% share price decline in the immediate trading session. Listed Indian manufacturers must have a documented SEBI disclosure process that includes materiality determination, exchange filing, and legal review, practiced before an incident occurs rather than during one.
Q: What is CERT-In and what does India’s 6-hour notification requirement mean?
A: CERT-In is India’s national cybersecurity incident response agency operating under the Ministry of Electronics and Information Technology. Under the IT Act 2000 and CERT-In’s 2022 directions, organisations must report cybersecurity incidents to CERT-In within six hours of detection. Bajaj Auto complied with this requirement. Indian manufacturers must have a practiced, documented notification workflow that can deliver a CERT-In report within six hours, including incident details, systems affected, and initial response actions taken.

