Every quarter, PCA Cyber Security’s threat intelligence team reviews how the automotive threat landscape is shifting to produce our Global Automotive Cybersecurity Report.
Download it here about resources/threat intelligence quarterly report/report q1 2026.
This quarter, our team's research shows a landscape where cybersecurity risks are coming from multiple vectors. Automotive products and vehicles now span the entire connected vehicle ecosystem, from backend systems and EV chargers to customer databases and the human help desk.
In Q1 2026 alone, our team identified 265 unique automotive-specific vulnerabilities, a 102% jump from Q1 2025 and a 28% rise over Q4 2025. 
In this blog post, we’ve pulled out the high-level takeaways from what we’re seeing on the frontline of automotive cybersecurity testing and improvement. 

The Cloud Can Be a Single Point of Failure for Connected Vehicles 

 

In late January 2026, a cyberattack on Russian telematics provider Delta Alarm compromised the cloud control plane that manages authentication and command routing for hundreds of thousands of connected vehicles.

The result was that owners across Russia were unable to unlock their doors or start their engines through their mobile app for up to two weeks. Many of the affected vehicles had no physical ignition key to fall back on. The provider took roughly five days to restore partial functionality and nearly two weeks to fully recover.

There was no ransomware and no data theft. The path to compromise was very simple in that attackers simply deleted or corrupted the backend services.

This cyber-physical disruption validates a risk the research community has discussed for years: when vehicle control depends on the cloud, losing the control plane means losing some or all of the vehicle's functionality.

AI-Assisted Voice Phishing Is a Growing Data Breach Risk

 

Several of this quarter's incidents bypassed technical defences entirely by targeting people.

In mid-February, the ShinyHunters group ran an AI-assisted voice phishing (vishing) attack against the help desk of a major online automotive marketplace.

By impersonating a remote employee, the attackers convinced an agent to reset multi-factor authentication and issue a new password, then used that access to exfiltrate 12.4 million user records.

The leaked dataset included auto finance pre-qualification details, such as self-reported income and desired loan amount, and 3.7 million of those records had never appeared in any previous breach.

Third-Party Vendor Incidents Keep Turning Into OEM Breaches

 

As in the broader cybersecurity landscape, third-party risks are emerging as a major threat to the automotive industry. Indeed, the majority of headline automotive cybersecurity incidents this quarter originated not inside an OEM, but with a third-party vendor.

A few examples we noted during Q1 2026 include:

 

• A ransomware group exfiltrated nearly 1 TB of data from a major Asian manufacturer's customer and dealership environment, via a third-party vendor that hosted dealer portals and CRM integrations.
• The Incransom group published a 200 GB leak from a Tier-1 electronics supplier, exposing engineering change orders and design documents belonging to multiple OEMs at once.
• A 2024 SafePay breach at a global BPO provider was finally disclosed in January 2026, after a 14-month notification delay, exposing nearly 17,000 employees and fleet customers of a commercial vehicle manufacturer.

The most damaging exposures came from legal and HR outsourcers, which often hold the most sensitive, unredacted PII but rarely match OEM-level security maturity. That makes it important for vendors to understand their third-party risks and audit both the flow of PII and their suppliers’ ability to safeguard it.

EV Charging Is a Fountain of Exploits

 

January's Pwn2Own Automotive 2026 in Tokyo resulted in a series of interesting exploits against EV charging infrastructure. 

Highlights included a charging-signal manipulation attack on the Autel MaxiCharger, unauthenticated root code execution on the ChargePoint Home Flex via OCPP message handling (ZDI-26-197), and a race-condition takeover of the Alpitronic HYC50 commercial DC fast charger. 

Separately, the Ultra-Fast Wireless Charging hack drained 76% of an EV's power, and Quarkslab's audit of the open-source EVerest stack surfaced six high-severity issues.

OEMs and Suppliers Must Get Ahead of Regulatory Requirements

 

In the last few months, the global automotive regulatory landscape has shifted hard towards enforcement.

In the US, new Commerce rules prohibit Chinese and Russian connected-vehicle software from Model Year 2027, and the US SELF DRIVE Act of 2026 mandates written cybersecurity plans for Level 4 and 5 automation.

Meanwhile, in China, the amended Cybersecurity Law took effect on 1 January 2026 with raised penalties and extraterritorial reach.

In Europe, amendment work continues on UNECE R155 and R156 across the UK and EU.

However, it's worth considering the opportunity that manufacturers have right now to get ahead of regulatory coverage, too.

As our CTO, Vlad Ryabyshkin, put it:

Based on our Q1 data, we would recommend every automotive industry company to ensure they at least deploy phishing-resistant MFA (FIDO2) across help desk and support functions, and design for "degraded mode" in telematics architecture so a cloud outage cannot strand a fleet.

For the full analysis, including the complete vulnerability dataset, EV charging research, underground activity, and a detailed regulatory breakdown, our Q1 2026 Global Automotive Cybersecurity Report is available for free here.