Sign in Subscribe
6 min read

55 Statistics about Cybersecurity Breaches in the Automotive Industry​ from Q4 2025 and Q1 2026

The single biggest takeaway from these Q1 2025 and Q1 2026 statistics is that automotive-specific vulnerabilities doubled year-on-year.

We've also got data below about the severity of vulnerabilities in the automotive industry, how the automotive attack surface has changed and where OEMs and automotive companies need to go next.

We were able to pull this list together by collating 55 statistics from research done by automotive cybersecurity solution provider, PCA Cyber Security.

Note: For a weekly feed of live cybersecurity statistics, subscribe to our free cybersecurity newsletter.

Automotive Vulnerabilities Q1 2026  

Automotive specific vulnerability volume has roughly doubled in twelve months and is spread across four sources including in-vehicle (Core embedded logic, ECUs, and V2X communication protocols), Backend (OEM and supplier servers, OTA update infrastructure, and cloud services), EV chargers (Charging stations, their internal controllers, and network links) and mobile applications (Vulnerabilities within consumer applications used for vehicle interaction)

We also note an increase in the severity of automotive specific vulnerabilities. Most vulnerabilities now fall within the 7.0 to 9.0 range.

Here’s the raw data on Automotive vulns from 2025 and up to Q1 2026.:

  • 265 unique automotive-specific vulnerabilities were identified in Q1 2026 (PCA Cyber Security, Q1 2026).
  • Automotive vulnerabilities rose 28% in Q1 2026 compared with Q4 2025 (PCA Cyber Security, Q1 2026).
  • Automotive vulnerabilities rose 102% year-on-year between Q1 2025 and Q1 2026 (PCA Cyber Security, Q1 2026).
  • Q1 2026 vulnerabilities span 77 unique Common Weakness Enumerations (PCA Cyber Security, Q1 2026).
  • Q1 2026 vulnerabilities map to 25 distinct TTPs in the Auto-ISAC Automotive Threat Matrix (PCA Cyber Security, Q1 2026).
  • 160 Medium, 75 High, and 16 Critical automotive vulnerabilities were identified in Q1 2026 (PCA Cyber Security, Q1 2026).
  • 88% of Q1 2026 automotive vulnerabilities require Low Attack Complexity (PCA Cyber Security, Q1 2026).
  • 77 distinct CWEs were mapped in Q1 2026, up from 64 in Q4 2025 (PCA Cyber Security, Q1 2026).
  • 206 unique automotive vulnerabilities were identified in Q4 2025, a 19% increase over Q3 2025 (PCA Cyber Security, Q4 2025).
  • Q4 2025 vulnerabilities span 64 unique CWEs (PCA Cyber Security, Q4 2025).
  • Q4 2025 vulnerabilities mapped to 19 distinct TTPs in the Auto-ISAC Automotive Threat Matrix (PCA Cyber Security, Q4 2025).
  • Q4 2025 severity breakdown: 146 Medium, 54 High, and 2 Critical automotive vulnerabilities (PCA Cyber Security, Q4 2025).
  • 14 different attack methods were observed in Q4 2025 automotive vulnerabilities (PCA Cyber Security, Q4 2025).
  • Ethernet represented over 25% of all automotive attack vector entries in Q1 2026 (PCA Cyber Security, Q1 2026).
  • Web and Local Shell combined for 33% of Q1 2026 automotive attack vectors (PCA Cyber Security, Q1 2026).
  • In-vehicle and Backend systems accounted for more than 81% of Q1 2026 automotive vulnerability targets (PCA Cyber Security, Q1 2026).
  • PCA identified 14 unique methods of entry in the Q1 2026 automotive threat landscape (PCA Cyber Security, Q1 2026).
  • Local Shell was the most frequent attack vector in Q4 2025, representing over 62% of total automotive entries (PCA Cyber Security, Q4 2025).
  • Ethernet and Wi-Fi combined accounted for more than 18% of Q4 2025 automotive attack vectors (PCA Cyber Security, Q4 2025).
  • In-vehicle and Virtualization target types accounted for 95%+ of Q4 2025 automotive vulnerabilities (PCA Cyber Security, Q4 2025).

EV Charging Infrastructure Statistics

In Q1 2026, EV chargers became one of the most consequential attack surfaces in automotive, with multiple research teams demonstrating full device compromise.

  • Pwn2Own Automotive 2026 in Tokyo produced 76 unique zero-days and $1.047 million in payouts (PCA Cyber Security, Q1 2026).
  • Pwn2Own Automotive 2026 had a record 73 entries (PCA Cyber Security, Q1 2026).
  • Quarkslab's audit of the EVerest open-source EV charging stack found 6 high-severity, 6 medium-severity, 5 low-severity, and 3 informational issues (PCA Cyber Security, Q1 2026).
  • The Ultra-Fast Wireless Charging hack drained 76% of EV power on the Alpitronic HYC50 commercial DC fast charger (PCA Cyber Security, Q1 2026).
  • The ChargePoint Home Flex flaw (ZDI-26-197) allows unauthenticated network-adjacent remote code execution as root via OCPP message handling (PCA Cyber Security, Q1 2026).
  • The DrainDead portable EV battery siphoning rig was built for approximately €1,200 using a solar inverter and CCS adapter (PCA Cyber Security, Q4 2025).
  • Most EVs in DrainDead testing allowed indefinite battery siphoning with repeated session resets; only some (e.g. Volkswagen group) halted discharging after around 60 seconds (PCA Cyber Security, Q4 2025).
  • The Ultra-Fast Wireless Charging attack synchronises with the charger's signal within only three cycles, defeating frequency hopping countermeasures (PCA Cyber Security, Q4 2025).

Infotainment and In-Cabin Computing Statistics

Infotainment units have consolidated cabin functions to the point where compromising one can move an attacker much closer to the centre of the vehicle's electronics fabric.

  • The Kenwood DNR1007XR aftermarket head unit exposes a Linux login prompt over UART at 115200 bps via a hidden board-edge connector (PCA Cyber Security, Q1 2026).
  • Synacktiv chained an information leak with an out-of-bounds write to achieve a full win against Tesla infotainment via USB at Pwn2Own Automotive 2026 (PCA Cyber Security, Q1 2026).

Telematics and Cyber-Physical Attack Statistics

The Q1 2026 Delta Alarm incident showed how a backend breach can disable a fleet without ever touching physical cars.

  • The Delta Alarm cyberattack disabled mobile-app vehicle controls for hundreds of thousands of Russian vehicle owners for up to two weeks in late January 2026 (PCA Cyber Security, Q1 2026).
  • Delta Alarm took approximately five days to restore partial functionality and nearly two weeks to fully recover from the cloud control plane attack (PCA Cyber Security, Q1 2026).

Automotive Data Breaches 2025 to Q1 2026 

Across both reporting quarters, third-party vendors (legal, HR, BPO, Tier-1 suppliers) generated the majority of headline data losses.

  • A ransomware group exfiltrated nearly 1 TB of data from a major Asian vehicle manufacturer's customer and dealership environment in early January 2026 via a third-party vendor (PCA Cyber Security, Q1 2026).
  • The BEAST threat actor leaked 700 GB of internal data from a large Chinese automotive group in late February 2026 (PCA Cyber Security, Q1 2026).
  • A 2024 SafePay ransomware breach at a global BPO provider exposed nearly 17,000 employees and customers of a major commercial vehicle manufacturer, disclosed in January 2026 after a 14-month notification delay (PCA Cyber Security, Q1 2026).
  • The Incransom ransomware group published a 200 GB leak from a Tier-1 electronics component supplier in January 2026 (PCA Cyber Security, Q1 2026).
  • An automotive parts marketplace database with over 7.7 million records was exposed via a misconfigured Elasticsearch instance in January 2026 (PCA Cyber Security, Q1 2026).
  • The ShinyHunters vishing attack against an online automotive marketplace help desk exfiltrated 12.4 million user records (6.1 GB) in mid-February 2026 (PCA Cyber Security, Q1 2026).
  • 3.7 million of the 12.4 million records exposed in the ShinyHunters automotive marketplace breach were previously unseen in other breaches (PCA Cyber Security, Q1 2026).
  • A US Tier-1 automotive supplier had approximately 1.9 TB of internal files publicly posted on an extortion site at the end of October 2025 (PCA Cyber Security, Q4 2025).
  • A Japanese vehicle manufacturer's customer management environment breach exfiltrated roughly 900 GB in December 2025 (PCA Cyber Security, Q4 2025).
  • A Japanese vehicle manufacturer third-party cloud compromise exposed around 21,000 customer records in December 2025 (PCA Cyber Security, Q4 2025).
  • A German aftermarket parts and distribution business had 1.4 TB of internal data advertised on underground forums in December 2025 (PCA Cyber Security, Q4 2025).
  • Over 100 advertised leaks and ransomware breaches targeted the automotive supply chain on the dark web in Q4 2025 (PCA Cyber Security, Q4 2025).
  • Quarkslab bypassed the 16-byte RH850 debug password protection on multiple variants using voltage fault injection (PCA Cyber Security, Q1 2026).
  • The DefenseWeaver multi-agent LLM system identified 11 critical attack paths across four automotive projects in function-level TARA testing (PCA Cyber Security, Q1 2026).
  • The ControlLoc adversarial attack on AV object trackers achieved up to 98.5% success digitally and over 79% in physical tests against the Baidu Apollo stack (PCA Cyber Security, Q4 2025).
  • Around 60% of automotive vendors had already adopted intrusion detection systems at the time of the Automotive Cyber Security, Connectivity and SDV Week 2025 survey (PCA Cyber Security, Q4 2025).

Automotive Cybersecurity Regulation Statistics

Cybersecurity compliance is a major driver of automotive cybersecurity engineering and also is becoming an essential requirement for market entry in pretty much every potential market. 

US automotive cybersecurity regulations

  • The US Commerce Department rule prohibits Chinese and Russian connected-vehicle software starting Model Year 2027 (PCA Cyber Security, Q1 2026).
  • US connected vehicle hardware restrictions arrive for Model Year 2030 or January 1, 2029 for non-model-year components (PCA Cyber Security, Q1 2026).
  • The US connected vehicle rule covers vehicles under 10,001 pounds (PCA Cyber Security, Q1 2026).
  • The US SELF DRIVE Act of 2026 requires the Secretary of Commerce to brief Congress on connected vehicle supply chain security within 180 days (PCA Cyber Security, Q1 2026).

China and UK automotive cybersecurity regulation

  • China's amended Cybersecurity Law took effect on 1 January 2026 (passed 28 October 2025) with raised penalties and extraterritorial reach (PCA Cyber Security, Q1 2026).
  • UK SI 2025/1110 mandated UN R155 and R156 for type-approval effective 13 November 2025 (PCA Cyber Security, Q4 2025).

EU automotive cybersecurity regulation

  • EU Delegated Regulation 2025/1455 extends UN R155 to L-category vehicles, with new types compliant by 11 December 2027 and existing types by 11 June 2029 (PCA Cyber Security, Q4 2025).