TL;DR: Ransomware rose to 44% of all publicly reported automotive and smart mobility incidents in 2025, while 68% led to data or privacy breaches and 34% to service or business disruption, according to Upstream Security analysis of 494 cases. AI is amplifying backend, API, and telematics attack paths across connected mobility ecosystems, making governance and resilience harder to separate.
NHIMG editorial — based on content published by Upstream Security: 2026 Global Automotive and Smart Mobility Cybersecurity Report
By the numbers:
- Ransom related incidents accounted for 44% of all incidents, more than doubling compared with 2024.
- 61% of incidents had the potential to impact thousands to millions of mobility assets, with 20% classified as massive-scale incidents.
- 67% of incidents stemmed from telematics and cloud, while 68% led to data or privacy breaches.
Questions worth separating out
Q: What breaks when telematics and cloud identities are not tightly governed?
A: When telematics and cloud identities are loosely controlled, attackers can reuse one exposed credential or token to move from a peripheral service into backend operations, fleet data, or customer-facing systems.
Q: Why do connected mobility environments increase the impact of ransomware?
A: Connected mobility environments increase ransomware impact because booking, charging, fleet management, and data services often share the same cloud and identity dependencies.
Q: How do security teams know if service account governance is actually working?
A: Governance is working when every service account has an owner, a workload, a retirement condition, and an auditable rotation path.
Practitioner guidance
- Map service identities across the mobility stack Build a live inventory of telematics, cloud, API, and partner service identities, including owners, scopes, and authentication methods.
- Shorten credential lifetime for backend and API access Replace long-lived tokens and static secrets with short-lived, task-scoped credentials where integration design allows.
- Segment recovery around identity boundaries Define containment and recovery procedures by service identity and dependency chain, not only by endpoint or host.
What's in the full report
Upstream Security's full report covers the operational detail this post intentionally leaves for the source:
- Year-over-year incident breakdowns by threat type, including the ransomware trend behind the 44% share
- Sector-level incident examples showing how telematics, cloud, and API compromise combine into multi-stage attacks
- Historical report comparisons that show how the attack mix has shifted across 2023, 2024, and 2025
- The underlying public-incident methodology used to build the 494-incident dataset
👉 Read Upstream Security's 2026 automotive and smart mobility cybersecurity report →
AI in automotive cybersecurity is changing the attack surface fast?
Explore further
AI is turning automotive cybersecurity into an identity governance problem. The report frames AI as an accelerator of attack paths, but the deeper issue is that connected mobility depends on machine identities, backend service accounts, and API credentials that can be discovered, reused, or abused. Once those identities are exposed, attackers can move from telematics entry points into cloud services and operational backends. Practitioners should treat mobility platforms as identity-intensive systems, not just connected devices.
A question worth separating out:
Q: What should organisations prioritise first in automotive cybersecurity resilience?
A: Organisations should prioritise identity-aware segmentation, credential lifecycle control, and dependency mapping before they assume recovery will be straightforward. In connected mobility, resilience depends on being able to isolate compromised services quickly without breaking unrelated operations or exposing data across the stack.
👉 Read our full editorial: Automotive cybersecurity risk is shifting toward AI-driven attack paths