It’s one thing when a driver can’t blow clean into a vehicle breathalyzer and is banned from driving their car until the effects of their night out wear off. But it is quite another thing to be completely sober and not able to get your car to start to go to work, school, or even get back home. 

That’s what happened to thousands of drivers nationwide whose Intoxalock breathalyzers left them stranded in March after a cyberattack took down some of the company’s systems—an auto shop in Maine told a local TV station its parking lot was chock full of cars for at least a week because drivers couldn’t start them.  

Vehicle breathalyzers, which fit onto ignition switches, are placed on cars—by the courts—when a driver has faced a DUI offense and must register a negative when blowing into the device before their car will start. 

Intoxalock says it services about 150,000 drivers in 46 states, though the affected area seems to be the Eastern half of the country.  

The devices require periodic calibration to remain operational, and during downtime, Intoxalock breathalyzers couldn’t be calibrated, leaving some drivers literally out in the cold. One Reddit poster in Wisconsin noted on a snowy day that the system was down due to a cybersecurity event on March 14, but their wait and attitude quickly turned annoyed, then angry when they realized they would miss work the next day and “have to pay to have my vehicle towed to a service center.”  

The company didn’t provide many details on the attack. Still, Upguard reported that an unidentified threat actor launched an attack that “flooded Intoxalock’s servers, resulting in a complete system shutdown of its nationwide breathalyzer ignition interlock devices,” calling the incident of medium severity due to its reach.  

“This may seem like a routine outage—but it highlights a deeper risk as cyber incidents increasingly impact physical systems,” says Nakul Goenka, risk officer at ColorTokens.  

“This is a classic example of a centralized control point becoming a single point of failure, where a cyber event can directly prevent people from using essential services—in this case, their own vehicles,” says Goenka, underscoring “that availability is just as critical as security in cyber-physical environments.” 

Intoxalock issued a statement saying that no ransom demand was made, nor was customer data leaked. That is cold comfort for many drivers who had to explain to their employers why they couldn’t get to work in the eight days that the service was down. 

Intoxalock offered roadside assistance, towing reimbursement and 10-day service extensions via their service centers. The company said it would “be covering costs that are a direct result of the temporary system pause,” excluding charges for “the calibration required after the extension, as that calibration would occur as part of the standard process.” 

The company managed to get service back up and operational by March 22. 

“From a legal and governance standpoint, this raises important questions around duty of care, liability, and consumer protection,” says Goenka.  

“When a cybersecurity incident restricts access to personal assets, organizations may be held to a higher standard of resilience and contingency planning,” he says, noting that the “key question for leaders is: If a core system goes down, what real-world functions are disrupted—and are we prepared for that scenario?”