Ransomware used to mean encrypted files and a bitcoin demand. In March 2026, it means cars that won’t start, cities that can’t function, and transit systems under threat.
The shift from “IT problem” to “public safety problem” has been gradual, but the last week made it impossible to ignore.
What Happened #
Foster City and LA Metro hit in the same week. Ransomware crippled Foster City’s municipal systems, and within days the WorldLeaks group threatened Los Angeles Metro operations. Two major infrastructure targets in rapid succession, whether coordinated or coincidental, it demonstrates how exposed municipal systems remain.
Intoxalock cyberattack strands drivers in 46 states. Intoxalock, which makes court-ordered ignition interlock devices for DUI offenders, was hit by a cyberattack that rendered their devices inoperable. Cars wouldn’t start. Drivers who depend on these devices to legally operate their vehicles were stranded, not because of anything they did, but because a vendor’s systems went down.
Navia Benefit Solutions breach exposes 2.7 million people. A breach at Navia, a benefits administration provider, exposed personal data for 2.7 million individuals. Health benefits, financial information, personally identifiable data, the kind of information that creates real harm when it’s stolen.
BlueLeaks 2.0. A law enforcement tip platform was breached with 93GB of data dumped publicly. Confidential reports, tips, and investigative data, now available to anyone who wants it.
The Pattern Worth Paying Attention To #
These aren’t random targets. There’s a clear pattern: attackers are hitting organizations where a systems failure translates directly into physical-world consequences.
Municipal systems control water, power, permitting, emergency services. Transit systems move millions of people daily. Ignition interlock devices are literally attached to cars. Benefits platforms hold health and financial data for people who have no visibility into their provider’s security posture.
The common thread is that the victims, the citizens, drivers, patients, and employees, have no ability to manage this risk themselves. They’re collateral damage from security failures at organizations they may not even know exist.
Why This Matters for Your Organization #
If your business depends on physical infrastructure, IoT devices, operational technology, or third-party services that affect the real world, the ransomware risk calculus has changed.
Business continuity planning needs to extend beyond IT. If ransomware hits your building management system, can your offices operate? If it hits your fleet management platform, can your vehicles move? If it hits your benefits provider, what happens to your employees? These aren’t hypothetical questions anymore.
Vendor risk has a physical dimension. The Intoxalock incident is a case study in third-party risk that most vendor risk programs would never catch. A security questionnaire doesn’t ask “if your systems go down, will my employees’ cars stop working?” But that’s the question that matters.
Incident response needs a public safety lens. When a breach exposes 2.7 million benefits records or dumps law enforcement data publicly, the incident response isn’t just about containment and recovery. It’s about the downstream harm to real people.
What to Do About It #
Map your physical dependencies. Identify every system, vendor, and service where a failure would have real-world consequences beyond IT. OT systems, IoT devices, physical security, fleet management, building automation, benefits administration, all of it.
Test your business continuity for physical scenarios. Your BCP probably covers “email is down” and “data center is offline.” Does it cover “badge readers don’t work,” “HVAC is offline,” or “our benefits provider lost everyone’s data”? If not, update it.
Evaluate vendor resilience, not just vendor security. A vendor can have a strong security program and still go down. Ask vendors about their incident response capabilities, their recovery time objectives, and what happens to your operations when their systems fail.
Segment your OT and IoT networks. If ransomware hits your corporate network, it shouldn’t be able to reach building systems, manufacturing equipment, or connected devices. Network segmentation is the most cost-effective control for limiting blast radius.
The Uncomfortable Trend #
The ransomware industry has figured out that physical-world impact creates more urgency to pay. A city that can’t process permits is inconvenient. A city that can’t dispatch emergency services is a crisis. The more an organization depends on digital systems for physical operations, the more attractive it becomes as a ransomware target.
This isn’t going to slow down. Plan accordingly.