Volkswagen leak exposes private information of 800,000 EV owners, including location data

Concerning Data Leak: A Volkswagen subsidiary’s data breach exposed private information, including location data, of 800,000 EV owners. The leaked data affected VW, Audi, Seat, and Skoda owners and was accessible online.

The data from Cariad, the company responsible for VW software, was available online for several months, as reported by German publication Spiegel Netzwelt. It contained contact details and movement data of Volkswagen and other brand owners in various regions.

Some of the leaked information included emails, phone numbers, addresses, and details of the EVs’ locations when started and turned off.

For 460,000 vehicles, the location data was accurate to a high degree, with Volkswagen and Seat vehicles pinpointed to within ten centimeters and Audi and Skoda EVs within 10km. The list of affected owners included German politicians, entrepreneurs, and even the EV fleet operated by Hamburg police.

As is often the case with such incidents, the data was exposed due to being stored on an unprotected and misconfigured Amazon cloud service.

The leaked data originated from the software utilized in Volkswagen EVs and was brought to light by the hacker association Chaos Computer Club (CCC) after being alerted by an anonymous hacker. Following the club’s notification, Germany’s authorities gave Volkswagen and Cariad a 30-day ultimatum to address the issue.

Volkswagen has since remedied the error, ensuring that the leaked information is no longer accessible. It clarified that sensitive information like passwords and payment details was not part of the leak, and only specific online service registered vehicles were initially affected.

The automaker also mentioned that accessing the data required a sophisticated, multi-stage process, with CCC hackers needing to bypass numerous security measures, showcasing a high level of expertise and significant time investment.

This incident is not the first of its kind in the automotive industry. In 2023, Toyota faced a similar situation where customer data was exposed due to a misconfigured server.

These events underscore the challenges associated with connected cars and the handling of customer information. A 2023 study by Mozilla revealed that all 25 car brands examined collect excessive personal data, using it for purposes beyond vehicle operation and customer relationship management. The study concluded that modern cars pose a significant privacy risk.