There’s a version of cybersecurity writing that treats every attack as a technical event — servers go down, data gets encrypted, someone pays a ransom. Abstract. Clean. Contained.

Then there’s the version where someone is standing in a parking lot at 7 AM, sober, late for work, and their car won’t start.

Since March 14, 2026, that’s been the reality for an estimated 150,000 drivers across 46 states. Not because they did anything wrong. Not because of a mechanical failure. Because Intoxalock — the company whose device the court system required them to install in their vehicles — got hit by a cyberattack, and their servers went offline.

And when Intoxalock’s servers go offline, the ignition interlock devices they make stop functioning. And when those devices stop functioning, the cars they’re wired into don’t start.

This is what happens when a court-ordered safety requirement depends on a vendor’s cloud connectivity, and nobody asked the hard questions about what happens when the vendor gets hacked.

What Intoxalock Is (and Who It Controls)

Most people outside the DUI enforcement system have never heard of Intoxalock. That’s by design — these devices exist in a corner of the justice system that operates largely outside public visibility.

Here’s the system: When someone is convicted of a DUI in most US states, a condition of their restricted driving privileges is the installation of an ignition interlock device (IID). The device requires the driver to blow into a breathalyzer before the car will start. Periodic “rolling retests” occur while driving. If the device detects alcohol above a threshold, the vehicle won’t start or issues a warning.

Intoxalock is one of the largest IID providers in the country, operating in all 46 of the states affected by this outage.

The devices aren’t purely mechanical. They require periodic calibration — typically every 30 to 60 days — at authorized service centers. This calibration is logged, transmitted to state monitoring systems, and often required as a condition of the court order. Miss a calibration window, and the device can be programmed to prevent the car from starting. Fail to transmit calibration data to the monitoring system, and you may be reported as non-compliant to your probation officer or the state DMV.

All of that calibration, data transmission, and compliance reporting runs through Intoxalock’s servers.

When the servers went down on March 14, the entire system collapsed.

The Attack: What Happened

Intoxalock has described the incident as a DDoS-style cyberattack — a flood of traffic designed to overwhelm and take offline their servers. The attack began March 14 and, as of March 20, 2026, had not been fully resolved. No restoration timeline has been publicly provided.

The company’s status page — learn.intoxalock.com/status — has been tracking the ongoing outage. The updates there are worth reading in full, because they illustrate exactly how a vendor with hundreds of thousands of captive customers communicates during a crisis: cautiously, with narrow commitments and maximum ambiguity.

What Intoxalock has offered affected drivers:

  • Towing reimbursement for vehicles that can’t start
  • 10-day calibration extensions at service centers (available in most states)
  • Paused installation appointments through March 22

What varies by state is telling. Tennessee drivers have an extension through March 24. Michigan and Washington residents are specifically noted as not covered by the extension. Why? Because IID programs are regulated at the state level, and each state’s administrative rules about compliance windows, extension authority, and vendor accountability differ. The patchwork is the feature, not the bug — but right now it’s leaving some of the most vulnerable affected drivers without recourse.

SMS support line: (424) 724-4689
Roadside assistance: 844-226-7522
Current status: learn.intoxalock.com/status

The Cruel Irony at the Center of This

Take a moment to sit with what’s actually happening here.

These 150,000 drivers were required to install this device. It wasn’t optional. It was a court order, a condition of getting their driving privileges back, a legal mandate with compliance requirements enforced by the state.

They were not given a choice of vendor in most cases. They were not consulted on the vendor’s cybersecurity posture. They were not informed that the device keeping them in compliance with their court order was dependent on the availability of a third-party server that could be taken offline by an attack.

They are now, in some cases, unable to get to work. Unable to take their children to school. Unable to fulfill the other conditions of their probation or restricted license. And they are being asked to call a support number and wait for updates on a status page.

The cruelty isn’t malicious on Intoxalock’s part. But it is structural. A system designed to monitor people — to enforce accountability — has zero accountability mechanism of its own when it fails.

Who Regulates This Industry?

Here’s where the story gets uncomfortable.

Ignition interlock device programs are administered state by state, with oversight varying enormously. Some states have dedicated IID compliance offices. Others fold oversight into the DMV, the department of transportation, or the courts themselves. There is no federal regulatory body with jurisdiction over IID vendors’ cybersecurity practices.

The qualification standards for IID vendors typically cover:

  • Device accuracy (does the breathalyzer work correctly?)
  • Data reporting formats (can the state receive compliance data?)
  • Installation requirements
  • Service center standards

What they typically do not cover:

  • Vendor cybersecurity requirements
  • Business continuity and disaster recovery standards
  • Server availability SLAs
  • What happens when the vendor’s infrastructure fails

This is not a hypothetical gap. It is the gap that 150,000 people fell through on March 14.

The IID industry operates in a regulatory structure designed in an era when these devices were purely hardware. The shift to cloud-dependent, server-connected devices created a new category of risk — one that regulators haven’t caught up to, and that vendors have had little incentive to voluntarily address.

Critical Infrastructure Adjacent — and Treated Like None of It

There’s a serious policy conversation to be had about what counts as “critical infrastructure” in the United States.

The official CISA framework identifies 16 critical infrastructure sectors, including transportation systems and government facilities. IID programs sit at the intersection of both — they’re a court-mandated tool embedded in the personal transportation network of over a million Americans at any given time.

And yet they’re treated, from a regulatory standpoint, like consumer electronics.

An outage at a major cloud provider that affected 150,000 people’s ability to drive would generate congressional hearings. An attack on a hospital system that prevented patients from accessing care triggers federal response mechanisms. An attack on an IID vendor that strands court-ordered drivers for a week… generates a status page update.

The accountability asymmetry here is stark. The drivers are held to exacting compliance standards. They face serious legal consequences for any failure to meet their court-mandated obligations. The vendor that makes their compliance possible faces… what, exactly? What happens to Intoxalock if it can’t restore services? What penalties apply? What recourse do affected drivers have?

Currently: very little. Tort liability is difficult. Regulatory penalties are unclear. State DMVs are sending guidance to judges to extend compliance windows, but that requires individual action at the court level rather than a systemic response.

What Should Actually Change

The Intoxalock outage won’t be the last time a court-dependent technology vendor fails its captive user base. The conditions that produced this situation — regulatory fragmentation, no federal cybersecurity standards for IID vendors, cloud-dependent devices with no offline fallback — aren’t specific to Intoxalock.

What needs to change:

Federal baseline standards for IID vendors. If states require drivers to use these devices as a condition of court orders, there should be minimum cybersecurity and resilience requirements that apply nationally. CISA has the authority and expertise to develop these standards. The political will is another matter.

Offline fallback modes. IID devices that require server connectivity to function give criminal attackers — or even run-of-the-mill outages — the ability to affect court compliance. Devices should be designed to operate independently of server availability for calibration windows, with data synced when connectivity is restored.

Vendor accountability mechanisms. States should have explicit authority to fine, decertify, or require remediation from IID vendors who fail to maintain service. Right now, the compliance burden falls entirely on drivers. The vendor side of that relationship has no comparable accountability structure.

Clear state-level emergency protocols. The fact that extension availability varies by state — that Tennessee drivers get relief that Michigan and Washington drivers don’t — reflects a fragmented response to an event that crossed all 46 states simultaneously. A national vendor failure deserves a coordinated national response, even if program administration is state-level.

The Broader Pattern

This attack follows a pattern that’s becoming increasingly common: criminal attackers targeting companies whose customers are captive and whose failures cause immediate, tangible harm in the physical world.

Healthcare systems. Water utilities. Prison communications vendors. Court technology providers. These are organizations with limited security investment, real-world impact when they fail, and user bases with no ability to switch providers or simply go without the service.

Intoxalock’s customers couldn’t cancel their subscription and move on. They were court-ordered to use the device. That captivity is exactly the kind of leverage point that sophisticated attackers understand and exploit.

The conversation about ransomware and cyberattacks targeting “critical infrastructure” needs to expand beyond the obvious targets. When 150,000 people can’t start their cars because a vendor got hit — people who are already navigating a difficult period of their lives, already under court supervision, already trying to rebuild — that’s a critical infrastructure failure. Even if nobody called it that.

The status page is still updating. The cars are still sitting in driveways.

Current Intoxalock outage status: learn.intoxalock.com/status
SMS support: (424) 724-4689 | Roadside assistance: 844-226-7522
Information current as of March 20, 2026, 5:30 PM EDT. The situation remains ongoing.