Starting on 14 March 2026, a cyberattack struck the central servers of Intoxalock (Consumer Safety Technology Llc), a Des Moines, Iowa-based company and one of the leading US providers of alcolock devices connected to vehicle ignition systems. The attack caused a prolonged outage of backend systems responsible for calibrations, device activation and communication with authorised service centres, leaving a significant share of the roughly 150,000 drivers who rely on the company’s technology each year unable to use their vehicles. The company operates in 46 of the 50 US states.
Alcolock devices — known in the US as ignition interlock devices (IID) — are mandated by courts and administrative authorities for drivers convicted of drink-driving or alcohol-related offences. To start a vehicle, the driver must blow into the device and register below a specified blood alcohol limit. These devices require periodic calibration, every 30 to 120 days depending on state regulations and contractual terms. These operations are carried out at authorised service centres and depend on connectivity with the provider’s central servers.
The attack was identified on 14 March 2026. According to cybersecurity sources, the unauthorised access triggered a server overload and a widespread operational shutdown. Within hours, users on Intoxalock’s Reddit community reported a total service outage: phone lines, calibration centres, mobile apps and server systems were all simultaneously unavailable. On 18 March, the company issued a formal statement confirming it had been targeted by hackers who, in the company’s words, “were overloading our servers”, potentially affecting some users’ ability to start their vehicles. On 22 March, Intoxalock announced full system restoration after eight days of disruption.
The practical impact was particularly severe for two categories of users: drivers with scheduled calibrations between 14 and 22 March, who were unable to complete the service, and those placed in lockout — for example due to missed calibrations or device-recorded violations — whose vehicles could not be reactivated without access to servers or a service centre capable of communicating with the backend. Testimonies collected by local media and online communities describe vehicles stranded at garages and installers, and drivers unable to travel to work or medical appointments, especially in rural areas with limited transport alternatives. Newspapers reported cases from Maine to California, and from Minnesota to Iowa.
From a technical standpoint, the company described the incident as a hacker attack that “flooded” the servers, a characterisation consistent with a denial-of-service attack or hybrid tactics, without confirming the use of ransomware or the presence of ransom demands. UpGuard classified the incident as medium severity due to its broad operational impact, noting that there is no public evidence of data exfiltration. Intoxalock repeatedly stated that user data is “safe”, without providing technical details. However, analysts from UpGuard and other observers pointed out that the volume and sensitivity of the data handled — including personal information, judicial programme status and test histories — make the company an attractive target, and that any forensic investigation will take time.
To mitigate the disruption, Intoxalock offered a ten-day calibration extension — with availability varying by state and device type — announced possible reimbursements for towing costs directly linked to the outage, suspended new installations until at least 22 March, and promoted alternative SMS contact channels to provide basic customer information while call centres were overloaded. The Oklahoma Board of Tests for Alcohol and Drug Influence issued an official notice urging programme participants to document device messages and communications with the provider, clarifying that compliance would be assessed case by case in light of the disruption.
The case highlights three structural issues that go beyond the specific incident. The first is technical centralisation: all calibrations, compliance reports and many unlocking functions depend on the provider’s servers, creating a single point of failure capable of immobilising thousands of users bound by judicial decisions. The second is the reliance of public functions on private infrastructure: court-mandated monitoring tools depend on companies that are not always subject to the same resilience and transparency standards required of traditional critical infrastructure. The third is the asymmetry between user and provider: a driver complying with a court programme risks being deemed non-compliant due to an IT failure beyond their control, with potentially serious legal and contractual consequences. It remains unclear whether state programmes include provisions for “digital force majeure” events or whether service contracts provide adequate safeguards.
These questions are not limited to the US system. In Europe, and particularly in Italy, regulations mandate the use of alcolock devices in the most serious drink-driving cases, extending their application to industrial and professional vehicles such as lorries, buses and vehicles transporting hazardous goods. In Italy, Legislative Decree 150 of 2021, which reformed the Highway Code, along with subsequent implementing measures, has strengthened and expanded this requirement, making the device a judicial and administrative control tool also for professional road haulage. In a sector such as logistics and freight transport, where vehicle availability is directly linked to meeting delivery schedules and service contracts, an outage like the one experienced by Intoxalock’s customers would have far broader economic and operational consequences than those recorded among private motorists in the US.
The resilience of alcolock systems connected to centralised digital infrastructure has yet to receive the same regulatory urgency in Europe as other critical sectors. The Intoxalock incident offers a concrete case for reflection: what happens to a professional haulier — and their company — if their alcolock calibration system goes offline due to a cyberattack? Who is liable for missed deliveries, penalties for non-compliance with monitoring programmes, or the costs of vehicle downtime? Regulators and industry associations will likely need to address these scenarios before they become a reality on this side of the Atlantic.
M.L.
