A massive data breach occurred at Volkswagen’s software subsidiary, Cariad. The breach exposed the personal data of approximately 800,000 electric vehicle (EV) owners online, making it accessible to anyone for months. German media outlet Der Spiegel reported last week, 2024, that the breach involved EVs owned by Volkswagen, Audi, Seat, and Skoda owners and affected Germany, Europe, and the entire world.
The data exposed online included customers’ contact information and geographic data, which could be used to determine whether a car was parked at home, on a highway, or in a specific location (such as outside a brothel). The sensitive information was stored in an unprotected and misconfigured Amazon cloud storage system, exposing it for months. The issue was brought to light by a warning from the hacker group Chaos Computer Club (CCC), which reportedly received a tip from an anonymous hacker.
Volkswagen said the data had been publicly accessible for months, but there was no evidence that anyone had actually exploited it. However, 466,000 of the approximately 800,000 vehicles in the fleet had location data stored so precisely that drivers’ daily lives could have been tracked. Der Spiegel noted that the list of owners included German politicians, business people, police officers, and even suspected intelligence agents, highlighting the potential for a serious invasion of privacy.
Cariad insists that no sensitive data was exposed in response to the Der Spiegel report and that customers do not need to take any action, as passwords or payment data were unaffected. Volkswagen also stressed that accessing individual data required a high level of expertise and a significant investment of time, adding that the CCC had to bypass several security mechanisms and combine different data sets to conclude about a specific user’s data.
This incident highlights the auto industry’s challenges with software and data security. Volkswagen has responded to the incident by saying it will “improve procedures and strengthen security,” but restoring trust in protecting customer information will not be easy.
Meanwhile, Volkswagen is not the only manufacturer to have suffered such an incident. In 2023, Toyota also admitted to a data breach in Japan, in which the data of more than 2 million owners was leaked.
Most Commented