Hackers Bricked a Breathalyzer Firm's Systems and Left 150,000 Drivers Stranded

When Your Car Decides You Cannot Drive, but It Is Not Your Fault

Imagine blowing into a tube every time you start your car, doing everything right, and still being told you cannot go anywhere. That is the reality for thousands of drivers across the United States after a cyberattack knocked out Intoxalock, one of the country's largest ignition interlock providers, on 14 March 2026.

Intoxalock, owned by Consumer Safety Technology (which rebranded its parent company to the rather optimistic name Mindr), supplies court-mandated breathalyser devices to roughly 150,000 drivers annually across 46 states. The devices require users convicted of drink-driving offences to blow a clean breath sample before their vehicle will start. They also need recalibrating every couple of months, or the car locks you out entirely.

You can probably see where this is going.

What Actually Happened

Hackers flooded Intoxalock's servers, disrupting operations nationwide. The company took the precautionary step of pausing its systems, which sounds responsible until you realise the knock-on effect: installations, removals, calibrations, and even basic account access all went dark.

For drivers whose calibration window fell during the outage, that meant their vehicles were effectively bricked. Not because they had been drinking, not because of any fault of their own, but because a company's servers got hammered by unknown attackers.

One affected driver, Tina Ward from Canastota, New York, reported being unable to attend scheduled medical appointments because her vehicle was completely immobilised. She is far from alone.

Nobody Is Saying What Kind of Attack It Was

Here is the frustrating bit. Intoxalock has refused to confirm whether this was ransomware, a distributed denial-of-service attack, or something else entirely. The company told reporters that hackers were "flooding" its servers, which sounds like a DDoS attack on the surface. But the decision to proactively pause systems hints at something potentially more serious, possibly ransomware containment.

No group has claimed responsibility for the attack. Intoxalock has stated that user data remains safe, though given the company will not even name the type of attack, you might be forgiven for taking that assurance with a generous pinch of salt.

The New York Department of Criminal Justice Services was notified and classified the incident as a "cybersecurity event," which is the bureaucratic equivalent of saying "something bad happened and we are looking into it."

The Company's Response

To their credit, Intoxalock has offered affected customers a few concessions:

• A 10-day extension on calibration deadlines
• Fee waivers during the disruption period
• Reimbursement for towing costs directly caused by the outage

The company also stated it would cover any costs that are a direct result of the interruption. Whether "direct result" stretches to cover missed medical appointments, lost wages, or the sheer inconvenience of being carless for days remains to be seen.

Why This Matters Beyond the US

For those of us watching from the UK, this is a pointed reminder of what happens when essential, court-mandated services depend entirely on cloud connectivity. Interlock devices are increasingly discussed as a sentencing option in British courts too, and if similar systems gain traction here, the same vulnerabilities apply.

The broader lesson is simple: if you are going to make a physical device that stops a car from starting, that device needs to fail gracefully. Locking someone out of their vehicle because your servers are under attack is not a security feature. It is a design flaw.

As of 20 March 2026, the situation remains ongoing, and Intoxalock's status page continues to acknowledge disruption. For 150,000 drivers a year who depend on these devices to get to work, to hospital appointments, and to court-ordered obligations, "we are working on it" is cold comfort when your car will not start.

Read the original article at source.