Facepalm: Another example of the risks in our connected-car era has surfaced, as a data breach by a Volkswagen subsidiary exposed information, including location data, of 800,000 EV owners. Affected users included owners of VW, Audi, Seat, and Skoda vehicles, with their data available online.
The private data from Cariad, which develops VW software, was accessible online for several months, according to the German publication Spiegel Netzwelt. It involved contact information and movement data for Volkswagen vehicle owners and drivers of the company’s other brands in Germany, Europe, and beyond.
In numerous instances, the data included emails, phone numbers, and addresses of drivers. It also detailed locations where the EVs were started and switched off.
For 460,000 of the 800,000 vehicles in the leak, location data was precise to within ten centimeters (3.9 inches) for Volkswagen and Seat vehicles, and within 10km (6.2 miles) for Audi and Skoda EVs. Spiegel notes that German politicians, entrepreneurs, and the entire Hamburg police EV fleet were among the owners, with suspicion that intelligence service staff were also compromised.
As is often the case, the data was exposed due to being stored on an unprotected and improperly configured Amazon cloud storage service.
The leaked data reportedly originated from the software used in Volkswagen EVs. This breach was flagged by the hacker group Chaos Computer Club (CCC), following an anonymous hacker’s tip. The CCC informed Germany’s Federal Ministry of the Interior and state police, providing Volkswagen and Cariad with 30 days to address the issue before going public.
Volkswagen claims the error has been corrected, and the data is no longer accessible. They noted that passwords and payment data were not included in the breach and that the risk was primarily to vehicles registered for online services.
The automaker also stated that accessing the data required a highly complex, multi-stage process. CCC hackers were only able to reach pseudonymized vehicle data after bypassing multiple security layers, which demanded high expertise and time investment.
This isn’t the first car manufacturer to experience such a leak. In 2023, Toyota apologized after a misconfigured server exposed customer data online for nearly ten years.
These cases emphasize the challenges with connected cars and customer data privacy. A 2023 study by Mozilla found all 25 car brands researched collect excessive personal data, using it beyond just vehicle operation and customer relationship management. According to Mozilla, modern cars are a “privacy nightmare.”
