Volkswagen leak exposes data of 800,000 EV owners

VW subsidiary stored data on an unsecured cloud server

A major data breach at a Volkswagen subsidiary has exposed sensitive personal information of nearly 800,000 electric vehicle owners in Europe and other parts of the world.

As reported by the German newspaper Der Spiegel, the breach was discovered by an anonymous hacker who reported it to Chaos Computer Club (CCC), a prominent cybersecurity association.

The compromised data was stored on an unprotected and misconfigured Amazon cloud server by Cariad, a Volkswagen subsidiary specialising in software and hardware development for the automaker and its numerous brands.

Cariad, formed in 2020, designs advanced driver assistance systems and other vehicle technologies.

The exposed data, which remained accessible online for several months, included contact information such as email addresses, phone numbers and home addresses of owners of Volkswagen, Audi, Seat, and Skoda EVs – all brands owned by the German firm.

The data even included details about when EVs were switched on and off.

For 460,000 vehicles (certain Volkswagen and Seat models), location data was highly accurate, pinpointing locations within ten centimetres. For Audi and Skoda vehicles, the accuracy ranged up to 10 kilometres.

The leak reportedly affected a wide range of individuals, including German politicians, business leaders and even intelligence services employees.

The entire electric vehicle fleet of the Hamburg police was also compromised.

According to Der Spiegel, the dataset enabled researchers to identify the locations of two German politicians during their analysis.

Volkswagen issued a statement acknowledging the data leak. The company said that the error has been rectified, and that no customer payment details or login credentials were included in the exposed dataset.

It added that accessing the information required "bypassing several security mechanisms, which required a high level of expertise and a considerable investment of time."

Despite that claim, the CCC has raised concerns about the potential long-term consequences for affected individuals.

The automotive sector follows stringent cybersecurity standards, which outline best practices to safeguard infrastructure from vulnerabilities.

On top of that, many automakers, including Volkswagen, have begun incorporating cybersecurity hardware directly into vehicles. This includes specialised chips that function as network switches, some of which are equipped with firewalls to block malicious traffic.

Despite these measures, the VW breach highlights the vulnerabilities associated with cloud-based data storage and processing. Experts suggest that the exposure of such a vast dataset, accessible online for several months, reflects systemic issues in cloud security configurations.

A 2023 study by Mozilla concluded that the data collection practices of car manufacturers constitute a "privacy nightmare," highlighting the need for greater transparency and stricter data protection regulations.

In 2022, Toyota warned that personal information of about 296,000 customers from its T-Connect service might have been leaked after an access key was mistakenly made accessible to the public on GitHub for nearly five years.