Facepalm: In another illustration of the dangers of our connected-car age, a data leak by a Volkswagen subsidiary revealed information, including location data, of 800,000 EV owners. The exposed data was available online, with VW, Audi, Seat, and Skoda owners affected.
The private data from Cariad, which makes VW software, was accessible online for several months, according to German publication Spiegel Netzwelt. It included contact information along with movement data for owners of Volkswagen vehicles and the company’s other car brands in Germany, Europe, and other parts of the world.
In some cases, the data included emails, phone numbers, and addresses of drivers. There were also details about where the EVs had been started and switched off.
For 460,000 of the 800,000 vehicles that made up the leak, the location data was accurate to within ten centimeters (3.9 inches) for Volkswagen and Seat vehicles, and within 10km (6.2 miles) for Audi and Skoda EVs. Spiegel writes that German politicians, entrepreneurs, and the entire EV fleet driven by Hamburg police were included on the list of owners, and it’s even suspected that intelligence service employees were also part of the leak.
As we’ve seen many times before with these sorts of incidents, the data was accessible due to it being left on an unprotected and misconfigured Amazon cloud storage service.
The leaked information is reported to have come from the software used in Volkswagen EVs. The data was highlighted by the hacker association Chaos Computer Club (CCC), which was tipped off by an anonymous hacker. The club contacted Germany’s Federal Ministry of the Interior and the state police, which gave Volkswagen and Cariad 30 days to address the situation before going public.
Volkswagen says the error has now been rectified and the information is no longer accessible. It adds that passwords and payment information were not part of the leak, and that only select vehicles registered for online services were initially at risk.
The automaker also said that the data was accessed in a very complex, multi-stage process, and that the CCC hackers could only access pseudonymized vehicle data after bypassing several security mechanisms, which required a high level of expertise and a considerable investment of time.
This isn’t the first leak of this kind for a car maker. In 2023, Toyota apologized after discovering that a misconfigured server had been exposing some customer data on the web for nearly a decade.
These incidents highlight the issues that come with connected cars and the sharing of customer info. A study by Mozilla in 2023 found that all 25 car brands investigated collect too much personal data and use it for a reason other than to operate your vehicle and manage their relationship with the customer. Mozilla’s conclusion was that modern cars are a “privacy nightmare.”