London-headquartered automotive data and analytics provider Autovista has confirmed a ransomware infection is disrupting its applications across Europe and Australia, with some customers instructing staff to block inbound email from the provider as a precaution. The JD Power-owned firm, which supplies residual value and total cost of ownership data to manufacturers, dealers, insurers, and body shops, called in external incident responders and has provided no firm timeline for restoration.

What Happened

On 15 April 2026, Autovista issued a public service update confirming that ransomware operators had compromised systems underpinning its customer-facing applications. The company acknowledged disruption across its European and Australian operations and said third-party experts were engaged to contain the attack and investigate the root cause. Email access has been pulled for some Autovista staff, forcing the company to direct urgent customer contact through a wider Autovista Group address while its primary communications channels remain degraded. The company's public website is still online and being used as the authoritative channel for updates.

What Was Taken

Autovista has not publicly disclosed whether data was exfiltrated, and at the time of its initial statement said the investigation remained in an early stage. No ransomware group has been named, no extortion site listing has been reported, and no ransom demand figure has been made public. Given Autovista's role as a data aggregator for vehicle valuations, specifications, and repair data across brands including Eurotax, Glass's, Rødboka, and Schwacke, any data theft could carry downstream exposure for automotive manufacturers, dealers, insurers, and telematics customers whose records transit or reside in Autovista systems.

Why It Matters

Autovista sits at a critical junction in the European and Australian automotive value chain. Insurers rely on its residual value feeds for policy pricing, dealers depend on its pricing data for stock decisions, and body shops consume its repair data for estimating. A prolonged outage ripples across underwriting, trade-ins, and repair throughput at scale. The decision by some customer organisations to block inbound email from Autovista is also notable: it reflects a growing defender instinct to treat a breached supplier's communications channel as hostile until proven otherwise, a posture that limits follow-on phishing but also severs legitimate coordination. For supply chain defenders, the incident reinforces that data-and-analytics SaaS providers are increasingly high-value ransomware targets.

The Attack Technique

Autovista has stated it does not yet know how intruders gained initial access and that investigators are working to establish the root cause. No initial access vector, malware family, or affiliate group has been attributed publicly. The removal of email access for some staff is consistent with a defensive containment measure taken after identity or mail infrastructure was suspected of compromise, a pattern seen in ransomware intrusions that pivot through Active Directory or Microsoft 365 tenants before detonating encryptors against application hosts.

What Organizations Should Do

1. Treat all inbound email purporting to originate from Autovista or its brands (Eurotax, Glass's, Rødboka, Schwacke) as suspect until the provider confirms mail hygiene is restored, and route any urgent traffic through the verified Autovista Group contact address published on the vendor's service update page.
2. Inventory every integration point with Autovista APIs, data feeds, and SSO connections, and consider temporarily disabling or tightening access until the provider confirms scope of compromise.
3. Rotate any shared secrets, API keys, or service account credentials tied to Autovista integrations and hunt for anomalous authentication against those identities.
4. Review third-party risk documentation and contractual breach notification terms, and open an incident record against the Autovista supplier relationship to track disclosures.
5. Brief pricing, underwriting, claims, and repair operations teams on likely data latency or outage and prepare manual fallback procedures for valuation and specification lookups.
6. Monitor ransomware leak sites for any Autovista or JD Power listings and feed any indicators of compromise released by the vendor into EDR, SIEM, and email security stacks.

Sources: Autovista blames ransomware for service disruption • The Register