Last month, the Volkswagen Group suffered a significant data breach that compromised sensitive personal information belonging to approximately 800,000 electric vehicle (EV) owners across its various brands, including Volkswagen, Audi, Seat, and Skoda.
The breach, initially reported by the German publication Spiegel, stemmed from a misconfigured Amazon cloud storage system managed by Volkswagen’s software subsidiary, Cariad.
The misconfiguration left personal and location data exposed online for several months, leaving it vulnerable to unauthorized access.
The breach was uncovered by an anonymous hacker who reported the issue to Chaos Computer Club (CCC), a prominent European ethical hacking organization. The CCC confirmed the insecure access by testing the open data before notifying Cariad and Volkswagen of the vulnerability.
The exposed data included sensitive vehicle information, such as when electric vehicles were turned on and off, as well as detailed location data.
Personal information, including email addresses, phone numbers, and home addresses of EV owners, was also part of the breach.
The breach impacted a diverse group of individuals, including at least two German politicians and members of the Hamburg police force.
While the majority of affected vehicles were located in Germany, researchers hired by Spiegel identified compromised data from vehicles in other countries, such as Norway, Sweden, the United Kingdom, the Netherlands, France, Belgium, and Denmark.
Following the notification from CCC, Cariad acted swiftly to resolve the issue, shutting down access to the exposed data on the same day it was contacted. The company has since implemented measures to prevent similar vulnerabilities in the future.
This breach underscores the critical need for stringent data security protocols, particularly for cloud-based systems that handle sensitive personal and location information. The Volkswagen Group and Cariad continue to investigate the incident to ensure enhanced security and regain customer trust.