London-headquartered automotive data and analytics firm Autovista has confirmed a ransomware infection that is disrupting its application suite across Europe and Australia. The JD Power-owned company issued a public statement on Wednesday, April 15, 2026, acknowledging the incident and engaging outside experts to contain the attack. Email access has been pulled for some staff, and several customer organizations are reportedly instructing employees to block inbound mail from Autovista domains as a precaution.

What Happened

Autovista publicly confirmed on April 15 that ransomware operators had breached systems supporting its customer-facing applications. The company said it had called in third-party incident response specialists to help contain the intrusion and restore affected services. Disruption is concentrated in the application layer, the data-driven products Autovista licenses to manufacturers, dealers, insurers, body shops, telematics providers, and professional services clients. Impacted tools include residual value monitoring platforms and total cost of ownership (TCO) analytics. The firm has declined to commit to a restoration timeline, stating only that securely bringing applications back online is its top priority. Autovista's corporate website remains reachable, and the company has published a service update page along with an alternate Autovista Group email address for customers with urgent needs, since standard support channels are degraded.

What Was Taken

Autovista has not disclosed whether data exfiltration occurred, and the company says its investigation is still in its early stages. No ransomware gang has publicly claimed the attack at the time of reporting, and no leak site listing has been observed. Given the nature of Autovista's business, any successful data theft would likely involve proprietary vehicle valuation datasets, residual value models, repair and specification data from sister brands Eurotax, Glass's, Rødboka, and Schwacke, and customer account information spanning automotive OEMs, dealer networks, and insurers. Customer credentials and integration tokens used by downstream automotive platforms are also plausibly at risk. Scope will only become clear as the third-party investigation progresses.

Why It Matters

Autovista sits at a critical junction in the European and Asia-Pacific automotive value chain. Its valuation and TCO data feeds insurer pricing, dealer remarketing decisions, leasing residuals, and fleet operations across multiple regions. A prolonged outage ripples outward: underwriters lose pricing inputs, dealers lose trade-in benchmarks, and body shops lose repair-cost references. The fact that customer organizations are proactively blocking inbound email from the provider signals broader concern that attacker-controlled infrastructure or compromised mailboxes could be weaponized for follow-on phishing against a well-mapped customer base. For defenders, this is a reminder that supply-chain data providers are attractive targets precisely because their compromise creates second-order risk across entire industry verticals.

The Attack Technique

Autovista has stated that it does not yet know how the attackers gained initial access, and root-cause analysis is being led by external forensic consultants. No ransomware strain has been named publicly. Recent ransomware activity covered elsewhere in the threat landscape has leaned heavily on the exploitation of unpatched Microsoft vulnerabilities and on identity-based intrusion paths, but attribution for Autovista remains open. The disruption pattern, application-layer impact with email access pulled for portions of staff, is consistent with a post-compromise containment response in which identity and mail infrastructure are isolated to prevent lateral movement and further encryption.

What Organizations Should Do

Sources: Autovista blames ransomware for service disruption • The Register