Global automotive giant Volkswagen is at the centre of a massive data leak, one that could have led to leaking of critical information pertaining to owners of its EV range. The Wolfsburg-headquartered company’s software subsidiary, Cariad – was affected by this leak – which led to the exposure of sensitive information for 800,000 electric vehicle owners, including their location. This was first reported by Germany’s Spiegel news magazine. The leaked data, which was made available online for months, contains precise location details of 460,000 vehicles, along with movement data and contact information.
Volkswagen – which saw its Q3 2024 revenue decline by 41.7% year over year, from 4.9 billion euros ($5.3 billion) to 2.8 billion euros ($3 billion) – also had vehicles from its fully owned subsidiaries, including Audi, Skoda, and SEAT affected in this leak. As reported, the leaked data was stored on Amazon’s cloud platform and was found by the Chaos Computer Club (CCC), a group of ethical hackers. Surprisingly, the list of affected owners does not seem random, as it includes not only German politicians and entrepreneurs but also the entire EV fleet used by the Hamburg police and even suspected intelligence service workers.
As stated earlier, Spiegel revealed that Cariad unintentionally made it possible for an attacker to locate and access driver data. This data not only includes linked owners’ names and contact details – such as phone numbers and email addresses – but also provides information about when EVs were turned on and off. Meanwhile, this issue is said to have been resolved by Volkswagen after the Chaos Computer Club informed them about it in November 2024.
This follows a string of high profile, and sparingly common data breaches that have happened thick and fast in recent times. Earlier in November, Amazon confirmed that a security breach involving a third-party vendor had compromised some of its employee data. The list does not end there, as in August 2024, the 19-year-old aviation company offering flight tracking services – FlightAware – announced a major data breach, exposing the sensitive information of millions of users.
While Volkswagen claims that the breach only impacted vehicles registered for online services and involved pseudonymized data that could not directly identify specific customers, the company has launched a formal investigation into the matter.
However, on a positive note, there is also no evidence of malicious access to this data as of yet. Volkswagen clarified that accessing the exposed data was not easy. It involved a complex, multi-step process that only hackers like those from the Chaos Computer Club (CCC) – with specific technical expertise – were able to carry out successfully.