Intoxalock Cyberattack Bricks 150,000 Court-Mandated DUI Devices Across 46 States for 8 Days

• .What: Cyberattack disabled backend calibration systems for court-mandated ignition interlock breathalyzer devices, stranding tens of thousands of DUI-program drivers for 8 days and allegedly exfiltrating "vast quantities" of sensitive personal data.
• .Who: Consumer Safety Technology LLC d/b/a Intoxalock (Des Moines, Iowa; ~$136M annual revenue; ~270-500 employees; parent company Mindr, portfolio company of L Catterton). Approximately 150,000 annual users across 46 states. 5,500+ service center locations.
• .How: Server flood attack per company description. Intoxalock refused to confirm whether the attack was ransomware, whether data was exfiltrated, or whether a ransom demand was received. The class action complaint alleges cybercriminals "disabled critical network infrastructure and successfully stole vast quantities of information."
• .Data at risk: Breath alcohol concentration (BAC) measurements, GPS coordinates of every breath test, facial photographs captured during each test, vehicle start/stop timestamps, rolling retest results, court case numbers, criminal histories, driver's license information, Social Security numbers, residential addresses, phone numbers, email addresses, and financial billing data.
• .Data stolen: "Vast quantities of information" per class action complaint. Plaintiff Derrick Curry alleges identity theft indicators: alarming volume of spam emails and calls, plus notification that someone applied for a loan using his credentials.
• .Actor: Unknown. No threat actor has claimed responsibility. No attribution by researchers or law enforcement. Intoxalock has not disclosed any communications from attackers.
• .Impact: 8-day nationwide service outage (March 14-22). Tens of thousands stranded. Plaintiff fired from job. $1,000+ towing costs (car shut off while driving). Potential probation violations for missed calibrations. Class action filed.

On March 14, 2026, Intoxalock's backend systems went offline following what the company described as a cybersecurity event involving a server flood attack.

The attack did not disable the physical interlock devices installed in vehicles - those continued to function at the hardware level. What it disabled was the cloud-based calibration infrastructure that the devices depend on to remain operational.

Ignition interlock devices require mandatory calibration every 25 to 30 days to maintain accuracy and compliance with court orders.

When a device cannot connect to the calibration system within its prescribed window, it enters a lockout state that prevents the vehicle's ignition from engaging.

The backend outage converted a cybersecurity incident into a physical immobilization event affecting vehicles across 46 states.

Intoxalock discovered the cybersecurity event on March 15 and began posting updates to a dedicated status page.

On March 16, the company emailed customers informing them of a "cybersecurity event" and stating that devices would continue operating - a claim that proved false for drivers whose calibration windows expired during the outage.

On March 18, the company confirmed that calibration services remained paused and directed service centers to issue 10-day device extensions where possible.

Extensions were not available in all states or for all device models - Pennsylvania's 2001A (black) units were excluded, and states including Arkansas, Massachusetts, Michigan, and Washington had separate compliance rules.

Installations were paused through March 20, then extended through March 22. The company provided a dedicated SMS support line (424-724-4689), a roadside assistance number (844-226-7522), and promised to reimburse towing costs with documentation.

On March 22, Intoxalock announced that "our systems have resumed" and that installations, calibrations, and service center support were available. Wikipedia places full restoration at March 28, accounting for the extended resolution period for all affected users.

Throughout the incident, Intoxalock refused to answer fundamental questions. When asked by TechCrunch whether the attack was ransomware, the company declined to specify.

When asked whether customer data had been compromised, the company stated that "user data remains secure" - a claim directly contradicted by the class action complaint filed eight days later. When asked whether a ransom demand had been received, the company declined to comment.

The company has not disclosed any communications from the attackers.

Ignition interlock devices are not passive monitors. They are active biometric surveillance systems mandated by courts and operated by a private company. The data Intoxalock collects on each user includes:

• .Breath alcohol concentration (BAC) measurements - every test result, including failures, timestamped and geolocated. This is medical-adjacent data that reveals substance use patterns.
• .GPS coordinates - real-time location tracking transmitted with every breath test in a growing number of states. This creates a continuous location history tied to a named individual's court case.
• .Facial photographs - many states require camera-equipped devices that photograph the driver during each breath test to verify identity. These images are biometric data.
• .Vehicle start/stop timestamps - a complete record of when and where the vehicle was operated.
• .Rolling retest results - periodic breath tests required while the vehicle is in motion, with results and timestamps.
• .Court case numbers and criminal history - users must provide their conviction details and court orders as a condition of enrollment.
• .Personally identifiable information - full names, dates of birth, residential addresses, phone numbers, email addresses, driver's license numbers, and Social Security numbers provided during enrollment and billing.
• .Financial billing information - credit card or bank account details for monthly device fees typically ranging from $70 to $150.

This data cannot be anonymized in any meaningful way. A breath alcohol measurement without a name is useless to a court. A facial photograph without a timestamp is useless to a probation officer.

Every data point is designed to be identified, attributed, and used in legal proceedings.

If the "vast quantities of information" alleged in the class action complaint include device telemetry alongside PII and court records, the exposure creates a dataset that links biometric data, substance use history, location tracking, criminal records, and financial information in a single breach - a combination that is extraordinarily rare and extraordinarily dangerous for affected individuals.

Based on the class action complaint (Curry v. Consumer Safety Technology LLC), plaintiff allegations, and the known data collection practices of ignition interlock devices:

• .Personally identifiable information - full names, dates of birth, residential addresses, phone numbers, email addresses, driver's license numbers, and Social Security numbers.
• .Criminal history records - DUI conviction details, court case numbers, probation terms, and sentencing conditions required for device enrollment.
• .Financial billing data - credit card numbers, bank account details, and payment histories for monthly device fees.
• .Breath alcohol concentration data (at risk) - every BAC test result, pass or fail, with timestamps. Reveals substance use patterns that could be used for extortion, employment discrimination, or custody disputes.
• .GPS location data (at risk) - coordinates transmitted with each breath test, creating a comprehensive location history for each user.
• .Facial photographs (at risk) - biometric images captured during breath tests. Cannot be changed. Permanent exposure.
• .Vehicle telemetry (at risk) - start/stop times, rolling retest data, and violation records.

The distinction between "confirmed stolen" and "at risk" matters. The class action alleges "vast quantities of information" were stolen but does not enumerate the specific data categories beyond PII, criminal history, and financial data.

Intoxalock's claim that "user data remains secure" has not been independently verified and is contradicted by the plaintiff's reported identity theft indicators.

Until Intoxalock provides a transparent accounting of what was and was not accessed, every data category the company collects must be treated as potentially compromised.

1. Single-point-of-failure architecture. Intoxalock's entire nationwide fleet of 150,000 devices depends on a centralized cloud-based calibration system with no offline fallback. When that system went down, every device approaching its calibration window became a brick.

A court-mandated safety system that can be rendered inoperable by a single backend failure is architecturally negligent.

There is no local calibration capability, no grace period logic built into the device firmware, and no degraded-mode operation that would allow basic vehicle function during a backend outage.

2. No resilient failover or disaster recovery. The 8-day outage duration indicates that Intoxalock had no tested disaster recovery plan, no hot standby environment, and no ability to rapidly restore critical services.

For a system that directly controls whether people can operate their vehicles - a system mandated by courts and tied to probation compliance - 8 days of total service loss is a catastrophic DR failure.

Industry standards for critical infrastructure target recovery time objectives measured in hours, not days.

3. Inadequate network perimeter defenses. Intoxalock described the attack as a server flood - consistent with a distributed denial-of-service (DDoS) attack. DDoS mitigation is a solved problem.

Cloud-based DDoS protection services from Cloudflare, AWS Shield, Akamai, and others can absorb volumetric attacks at scale.

An 8-day outage from a DDoS attack suggests either no DDoS mitigation was in place, the mitigation was misconfigured, or the "server flood" description obscures a more severe compromise.

4. Potential data exfiltration alongside service disruption. The class action complaint alleges that attackers both disabled infrastructure and stole data.

If accurate, this suggests either the DDoS was a smokescreen for a deeper network intrusion, or the attack involved multiple vectors - service disruption combined with unauthorized access to databases.

The plaintiff's report of identity theft indicators within days of the attack supports the data exfiltration allegation.

5. Misleading customer communications. On March 16, Intoxalock emailed customers stating the cybersecurity event would not prevent devices from operating. Hours later, devices began locking users out.

The company's public claim that "user data remains secure" is contradicted by the class action's data theft allegations and the plaintiff's identity theft experience.

Misleading communications during a security incident compound the harm by preventing affected individuals from taking protective action.

6. No federal cybersecurity standards for interlock vendors.

There is no federal requirement for ignition interlock device vendors to meet any cybersecurity baseline - no SOC 2 requirement, no penetration testing mandate, no incident response plan requirement, and no data protection standard.

State-level regulation focuses exclusively on device accuracy and BAC measurement standards, not on the security of the backend systems or the protection of the sensitive data these devices collect.

Intoxalock operates critical court-mandated infrastructure with less cybersecurity oversight than a typical e-commerce website.

• .State breach notification laws (all 50 states) - If SSNs and financial data were exfiltrated as alleged, mandatory notification is triggered in every state where affected users reside. Most states require notification within 30-60 days of discovery. Iowa Code Chapter 715C requires notification "in the most expedient time possible and without unreasonable delay." As of March 31, 2026, no state attorney general filings have been publicly reported.

• .CCPA/CPRA (California) - California residents using Intoxalock devices have the right to know what personal information was collected and disclosed. If the breach involved California residents' data, the private right of action under Cal. Civ. Code 1798.150 allows statutory damages of $100-$750 per consumer per incident for unauthorized access resulting from failure to implement reasonable security. Intentional violations carry penalties up to $7,500 per violation.

• .Illinois Biometric Information Privacy Act (BIPA) - If facial photographs from camera-equipped interlock devices were compromised for Illinois residents (including plaintiff Curry of Worth, Illinois), BIPA's private right of action allows $1,000 per negligent violation and $5,000 per intentional or reckless violation. BIPA requires informed written consent before collecting biometric identifiers and mandates specific data retention and destruction policies.

• .FTC Act Section 5 - Intoxalock's public statement that "user data remains secure," if false, constitutes a potentially deceptive trade practice. The FTC has brought enforcement actions against companies that misrepresented the security of consumer data. Consent decrees typically require 20 years of independent security audits.

• .HIPAA (potential) - Breath alcohol concentration data and associated health information may constitute protected health information if Intoxalock shares data with healthcare providers, treatment programs, or substance abuse counselors as part of court-ordered monitoring. If any covered entity relationship exists, HIPAA's breach notification rule (60-day notification to HHS and affected individuals) and security rule requirements apply. Penalties range up to $2.1 million per violation category per year.

• .SEC disclosure (if applicable) - If Consumer Safety Technology or its parent Mindr/L Catterton has any securities reporting obligations, the 4-business-day materiality disclosure requirement under SEC Form 8-K would apply.

• .State consumer protection statutes - The class action invokes failure to safeguard data, failure to maintain critical infrastructure, and failure to provide timely notification. Individual state consumer protection laws in all 46 states where Intoxalock operates may provide additional causes of action.

• .Iowa Consumer Fraud Act (Iowa Code Chapter 714H) - As the company is headquartered in Iowa, the Iowa AG has jurisdiction. Deceptive practices, including misrepresentation of data security, are actionable.

• .Court-mandated compliance implications - Drivers who missed calibration deadlines due to the outage may face probation violations, license suspensions, or extended interlock requirements through no fault of their own. Oklahoma issued guidance directing users to document communications and stated the state would assess circumstances. Tennessee extended compliance deadlines through March 24. Most states issued no formal guidance, leaving drivers in legal limbo.

1. Implement distributed, regionally redundant calibration infrastructure with offline fallback. A court-mandated safety system serving 150,000 users across 46 states cannot depend on a single centralized backend.

Calibration services should be deployed across multiple cloud regions with automatic failover.

Device firmware should include a configurable grace period - a minimum of 72 hours beyond the calibration window - that allows basic vehicle operation during backend outages while alerting the user to recalibrate at the earliest opportunity.

2. Deploy enterprise-grade DDoS mitigation. Cloud-based DDoS protection from providers such as Cloudflare, AWS Shield Advanced, or Akamai Prolexic should be deployed in front of all public-facing infrastructure. These services can absorb multi-terabit volumetric attacks.

An 8-day outage from a traffic flood is inexcusable when mitigation services are widely available and can be deployed in hours.

3. Implement network segmentation separating calibration services from data stores. If the attack combined service disruption with data exfiltration, it indicates that calibration infrastructure and customer databases were not adequately segmented.

Backend databases containing PII, criminal history, biometric data, and financial information must be isolated in separate network segments with strict access controls, and should not be reachable from the same attack surface as public-facing calibration endpoints.

4. Encrypt sensitive data at rest with hardware security module (HSM) key management.

Breath alcohol data, facial photographs, GPS coordinates, and criminal history records should be encrypted at rest using AES-256 with keys managed by HSMs. Even if an attacker gains database access, encrypted data is useless without the encryption keys.

This is table stakes for any organization handling biometric and criminal justice data.

5. Establish a tested disaster recovery plan with a 4-hour recovery time objective. For critical infrastructure that directly controls vehicle operation, the recovery time objective should be measured in hours.

Quarterly DR tests should validate the ability to restore full service within the target window. The 8-day outage demonstrates that either no DR plan existed or it was never tested against a realistic scenario.

6. Provide honest, timely incident communications. Do not tell customers their devices will continue working when they will not. Do not claim data is secure when a class action complaint alleges otherwise.

Transparent communication during a security incident is both a legal obligation under breach notification statutes and a basic duty to users whose physical mobility depends on your systems.

Company, ByteIota, CEO Outlook, Technology.org, DysruptionHub, Justia (Curry v.