Reach security professionals who buy.

850K+ monthly readers 72% have budget authority
Advertise on Breached.Company →

Editor’s Note — Updated March 23, 2026: Following publication, Intoxalock’s Director of Communications contacted Breached Company to request corrections to several claims in the original article. We take accuracy seriously and have updated the article accordingly. Key corrections: Intoxalock’s devices were not universally non-functional during the outage — the devices themselves remained operational. The disruption specifically affected customers who required a calibration during the system pause, which the company states was not the majority of their customers. Additionally, multiple IID providers exist across states; drivers are not universally assigned to a single vendor. Intoxalock also confirmed their systems were fully restored on March 22, 2026. The company’s full statement appears in a dedicated section below. The broader structural and regulatory arguments in this article remain the author’s analysis and are unaffected by these corrections.

There’s a version of cybersecurity writing that treats every attack as a technical event — servers go down, data gets encrypted, someone pays a ransom. Abstract. Clean. Contained.

Then there’s the version where someone is standing in a parking lot at 7 AM, sober, late for work, and their car won’t start.

Since March 14, 2026, that scenario played out for a subset of Intoxalock’s customers across 46 states — specifically, those who required a calibration during the company’s system pause. Not because they did anything wrong. Not because of a mechanical failure. Because Intoxalock — the company whose device the court system required them to install in their vehicles — experienced a cyberattack that took their backend systems offline, disrupting the calibration process those drivers depended on.

Original claim: All 150,000 drivers could not start their cars. Correction: Intoxalock’s ignition interlock devices themselves remained operational during the outage. The disruption was specific to drivers whose calibration was due during the system pause — those customers experienced a delay in starting their vehicles. Intoxalock states this was not the majority of their customer base, though the company has declined to provide an exact number while the incident remains under review.

This is what happens when a court-ordered safety requirement depends on a vendor’s cloud connectivity for compliance functions, and the regulatory framework never asked hard questions about what happens when the vendor goes down.

What Intoxalock Is (and Who It Controls)

Most people outside the DUI enforcement system have never heard of Intoxalock. That’s by design — these devices exist in a corner of the justice system that operates largely outside public visibility.

Here’s the system: When someone is convicted of a DUI in most US states, a condition of their restricted driving privileges is the installation of an ignition interlock device (IID). The device requires the driver to blow into a breathalyzer before the car will start. Periodic “rolling retests” occur while driving. If the device detects alcohol above a threshold, the vehicle won’t start or issues a warning.

Intoxalock is one of the largest IID providers in the country, operating in all 46 of the states affected by this outage.

The devices aren’t purely mechanical. They require periodic calibration — typically every 30 to 60 days — at authorized service centers. This calibration is logged, transmitted to state monitoring systems, and often required as a condition of the court order. Miss a calibration window, and the device can be programmed to prevent the car from starting. Fail to transmit calibration data to the monitoring system, and you may be reported as non-compliant to your probation officer or the state DMV.

All of that calibration, data transmission, and compliance reporting runs through Intoxalock’s servers.

When the servers went down on March 14, the calibration system — which a portion of Intoxalock’s customers depend on to start their vehicles — became unavailable. Drivers whose devices were not due for calibration were unaffected. Those who were due for calibration, or who entered a lockout state requiring calibration, experienced delays in starting their vehicles.

The Attack: What Happened

Intoxalock has described the incident as a DDoS-style cyberattack — a flood of traffic designed to overwhelm and take offline their servers. The attack began March 14 and, as of March 20, 2026, had not been fully resolved. No restoration timeline has been publicly provided.

The company’s status page — learn.intoxalock.com/status — has been tracking the ongoing outage. The updates there are worth reading in full, because they illustrate exactly how a vendor with hundreds of thousands of captive customers communicates during a crisis: cautiously, with narrow commitments and maximum ambiguity.

What Intoxalock has offered affected drivers:

  • Towing reimbursement for vehicles that can’t start
  • 10-day calibration extensions at service centers (available in most states)
  • Paused installation appointments through March 22

What varies by state is telling. Tennessee drivers have an extension through March 24. Michigan and Washington residents are specifically noted as not covered by the extension. Why? Because IID programs are regulated at the state level, and each state’s administrative rules about compliance windows, extension authority, and vendor accountability differ. The patchwork is the feature, not the bug — but right now it’s leaving some of the most vulnerable affected drivers without recourse.

SMS support line: (424) 724-4689
Roadside assistance: 844-226-7522
Current status: learn.intoxalock.com/status

The Cruel Irony at the Center of This

Take a moment to sit with what’s actually happening here.

These 150,000 drivers were required to install this device. It wasn’t optional. It was a court order, a condition of getting their driving privileges back, a legal mandate with compliance requirements enforced by the state.

In many states, drivers have limited choice among IID vendors — though multiple providers do operate across the country, and some states offer more flexibility than others. Regardless of vendor assignment, these drivers were not consulted on the vendor’s cybersecurity posture. They were not informed that the device keeping them in compliance with their court order was dependent on the availability of a third-party server that could be taken offline by an attack.

They are now, in some cases, unable to get to work. Unable to take their children to school. Unable to fulfill the other conditions of their probation or restricted license. And they are being asked to call a support number and wait for updates on a status page.

The cruelty isn’t malicious on Intoxalock’s part. But it is structural. A system designed to monitor people — to enforce accountability — has zero accountability mechanism of its own when it fails.

Who Regulates This Industry?

Here’s where the story gets uncomfortable.

Ignition interlock device programs are administered state by state, with oversight varying enormously. Some states have dedicated IID compliance offices. Others fold oversight into the DMV, the department of transportation, or the courts themselves. There is no federal regulatory body with jurisdiction over IID vendors’ cybersecurity practices.

The qualification standards for IID vendors typically cover:

  • Device accuracy (does the breathalyzer work correctly?)
  • Data reporting formats (can the state receive compliance data?)
  • Installation requirements
  • Service center standards

What they typically do not cover:

  • Vendor cybersecurity requirements
  • Business continuity and disaster recovery standards
  • Server availability SLAs
  • What happens when the vendor’s infrastructure fails

This is not a hypothetical gap. It is the gap that 150,000 people fell through on March 14.

The IID industry operates in a regulatory structure designed in an era when these devices were purely hardware. The shift to cloud-dependent, server-connected devices created a new category of risk — one that regulators haven’t caught up to, and that vendors have had little incentive to voluntarily address.

Critical Infrastructure Adjacent — and Treated Like None of It

There’s a serious policy conversation to be had about what counts as “critical infrastructure” in the United States.

The official CISA framework identifies 16 critical infrastructure sectors, including transportation systems and government facilities. IID programs sit at the intersection of both — they’re a court-mandated tool embedded in the personal transportation network of over a million Americans at any given time.

And yet they’re treated, from a regulatory standpoint, like consumer electronics.

An outage at a major cloud provider that affected 150,000 people’s ability to drive would generate congressional hearings. An attack on a hospital system that prevented patients from accessing care triggers federal response mechanisms. An attack on an IID vendor that strands court-ordered drivers for a week… generates a status page update.

The accountability asymmetry here is stark. The drivers are held to exacting compliance standards. They face serious legal consequences for any failure to meet their court-mandated obligations. The vendor that makes their compliance possible faces… what, exactly? What happens to Intoxalock if it can’t restore services? What penalties apply? What recourse do affected drivers have?

Currently: very little. Tort liability is difficult. Regulatory penalties are unclear. State DMVs are sending guidance to judges to extend compliance windows, but that requires individual action at the court level rather than a systemic response.

What Should Actually Change

The Intoxalock outage won’t be the last time a court-dependent technology vendor fails its captive user base. The conditions that produced this situation — regulatory fragmentation, no federal cybersecurity standards for IID vendors, cloud-dependent devices with no offline fallback — aren’t specific to Intoxalock.

What needs to change:

Federal baseline standards for IID vendors. If states require drivers to use these devices as a condition of court orders, there should be minimum cybersecurity and resilience requirements that apply nationally. CISA has the authority and expertise to develop these standards. The political will is another matter.

Offline fallback modes. IID devices that require server connectivity to function give criminal attackers — or even run-of-the-mill outages — the ability to affect court compliance. Devices should be designed to operate independently of server availability for calibration windows, with data synced when connectivity is restored.

Vendor accountability mechanisms. States should have explicit authority to fine, decertify, or require remediation from IID vendors who fail to maintain service. Right now, the compliance burden falls entirely on drivers. The vendor side of that relationship has no comparable accountability structure.

Clear state-level emergency protocols. The fact that extension availability varies by state — that Tennessee drivers get relief that Michigan and Washington drivers don’t — reflects a fragmented response to an event that crossed all 46 states simultaneously. A national vendor failure deserves a coordinated national response, even if program administration is state-level.

Intoxalock’s Official Statement

The following statement was provided by Intoxalock’s Director of Communications in response to this article. It is published in full.

On March 14, we temporarily paused our systems as a precaution after experiencing a cyber event. Our team took immediate action to secure our network and protect the integrity of our systems and data. The details of the event are actively being reviewed.

What is becoming increasingly inaccurately reported is that our devices are not functioning. Our Intoxalock devices have been fully operational during the temporary system pause.

To clarify, our customers who required a calibration beginning March 14, or those who went into a lockout as required by their state (ex. blowing in the device after consuming alcohol), which then requires calibration. To be clear, this is not the majority of our customers. Because it is being reviewed, I cannot speak to the exact number.

Those who were required to calibrate their device were impacted due to the system that the calibration process is connected to. It is an advanced calibration system. This group did experience a delay in starting their vehicle, and we have created a solution for this in the vast majority of states.

We developed a new system app that was pushed to all of our calibration devices while coordinating with state regulators to provide a temporary solution while we work to reinstate our systems’ 10-day service-date extension issued on March 18. You can view participating states at learn.intoxalock.com/status.

We also set up a designated texting line immediately. At this time, we have responded to 100% of our customers. We’ve also posted towing options at the link above, and we will cover any costs directly caused by the temporary system pause.

Because the devices are working and have been, customers should continue to use them as intended. Our primary focus continues to be supporting our customers. We are sorry for the inconvenience this has caused and are working diligently to resume our systems, and are fully committed to supporting our customers throughout this process.

Update — March 23, 2026: In a follow-up communication, Intoxalock’s Director of Communications confirmed: “We resumed our systems late yesterday [March 22].” This information is available at learn.intoxalock.com/status. The company notes the cyber event remains under active review.

The structural arguments that follow — about regulatory gaps, calibration dependency, and vendor accountability — reflect the author’s analysis and remain relevant regardless of Intoxalock’s specific response to this incident.

The Broader Pattern

This attack follows a pattern that’s becoming increasingly common: criminal attackers targeting companies whose customers are captive and whose failures cause immediate, tangible harm in the physical world.

Healthcare systems. Water utilities. Prison communications vendors. Court technology providers. These are organizations with limited security investment, real-world impact when they fail, and user bases with no ability to switch providers or simply go without the service.

Intoxalock’s customers couldn’t cancel their subscription and move on. They were court-ordered to use the device. That captivity is exactly the kind of leverage point that sophisticated attackers understand and exploit.

The conversation about ransomware and cyberattacks targeting “critical infrastructure” needs to expand beyond the obvious targets. When 150,000 people can’t start their cars because a vendor got hit — people who are already navigating a difficult period of their lives, already under court supervision, already trying to rebuild — that’s a critical infrastructure failure. Even if nobody called it that.

The status page is still updating. The cars are still sitting in driveways. Update: Intoxalock confirmed systems were restored on March 22, 2026. Drivers who were affected should visit learn.intoxalock.com/status for current information. The questions raised by this incident — about regulatory gaps and vendor accountability — remain unanswered.

Intoxalock outage status: learn.intoxalock.com/status
SMS support: (424) 724-4689 | Roadside assistance: 844-226-7522
Originally published March 21, 2026. Updated March 23, 2026 with corrections and official company statement. Systems restored March 22, 2026.