London-headquartered automotive data and analytics provider Autovista confirmed on April 15 that a ransomware infection has disrupted its application stack across Europe and Australia, forcing the JD Power-owned firm to call in third-party incident responders and pull email access for some staff. Customers have been told to monitor the company's status page directly, and at least some customer organizations are reportedly instructing their own employees to block inbound email from the provider as a precaution.

What Happened

Autovista issued a public service update on Wednesday, April 15, 2026, confirming that ransomware was the cause of an ongoing outage affecting customer-facing applications. The company said it has engaged outside experts to contain the attack and restore impacted services, but warned that it does not yet have a firm timeline for recovery. Email access has been revoked for some staff as part of the containment response, leaving customers unable to reach their usual contacts. Autovista has published a single Group email address for urgent inquiries and is directing customers to its website for further updates.

What Was Taken

Autovista has not disclosed any data theft at this stage, and the company explicitly stated that the investigation is still in its early phase. The disclosed impact is operational disruption to its hosted applications rather than a confirmed data exfiltration event. Given Autovista's role as the central data spine for vehicle valuation, residual value monitoring, total cost of ownership analytics, and repair-data services, any attacker dwell time would have placed sensitive commercial datasets, customer account information, and pricing intelligence at risk. The Autovista Group portfolio also includes the Eurotax, Glass's, Rødboka, and Schwacke brands, broadening the potential blast radius across European markets.

Why It Matters

Autovista sits at the centre of the automotive value chain, supplying manufacturers, dealers, body shops, insurers, telematics firms, and professional services organizations with the reference data they use to price, underwrite, and service vehicles. A prolonged outage at a data utility of this kind cascades into delayed insurance quotes, stalled used-vehicle pricing, and broken dealer workflows across multiple countries. The customer guidance to block inbound email from the provider is particularly notable: it signals that downstream organizations are treating Autovista's mail infrastructure as untrusted, raising the prospect of follow-on phishing or business email compromise leveraging the breach. The incident also lands in a week dominated by ransomware activity targeting enterprise data brokers, reinforcing that information-rich intermediaries remain prime targets.

The Attack Technique

The initial access vector has not been disclosed. Autovista told customers it does not yet know how the criminals breached its environment, and that third-party experts are working to determine the root cause. No ransomware crew has publicly claimed the intrusion at the time of writing, and no ransom demand or leak-site listing has been confirmed. The visible response pattern, which combines pulling email access, isolating customer-facing applications, and bringing in external incident responders, is consistent with a hands-on-keyboard intrusion that reached production systems before detection.

What Organizations Should Do

1. Treat any inbound email purporting to originate from Autovista or its subsidiary brands (Eurotax, Glass's, Rødboka, Schwacke) as suspect until the company confirms mail systems are clean, and consider temporary blocks or quarantine rules at the gateway.
2. Review and rotate any API credentials, SFTP keys, or service account passwords used for Autovista data integrations, and audit recent access logs for those accounts.
3. Brief procurement, claims, underwriting, and dealer operations teams on the outage so they can fall back to manual valuation and pricing workflows where required.
4. Hunt for anomalous outbound connections or data flows tied to Autovista integration endpoints in the 30 days preceding April 15, 2026.
5. Monitor known ransomware leak sites for any Autovista or JD Power Group listings, and prepare a customer communications plan in case shared data is exposed.
6. Validate that DMARC, DKIM, and SPF enforcement is set to reject for inbound mail from partner domains, reducing the risk of spoofed follow-on phishing leveraging the incident.

Sources: Autovista blames ransomware for service disruption • The Register