Volkswagen Group suffered a significant data breach in December 2024, compromising the personal information of approximately 800,000 electric vehicle (EV) owners. The compromised databases contained sensitive data from Volkswagen, SEAT, Audi, and Škoda vehicles.
Alarmingly, some geo-location data was so exact that it could locate places to within a few centimetres. A misconfigured Amazon cloud storage system resulted in the exposure of critical information.
Volkswagen’s software company Cariad, which oversees the cloud infrastructure, was the cause of this issue. This misconfiguration left terabytes of customer data vulnerable for several months.
The vulnerability affected only internet-connected automobiles that have enrolled for online services. Researchers identified geo-location data for 460,000 of the almost 800,000 automobiles exposed, some with accuracy as close as 10 centimetres. This revealed accurate GPS data, allowing the building of detailed mobility profiles for both cars and their owners.
Location Tracking and Privacy Nightmare
The privacy implications were extensive, affecting not only ordinary citizens but also prominent individuals, including legislators, corporate executives, and law enforcement agencies.
According to a 2023 Mozilla Foundation research, twenty-five automakers collect an excessive amount of data, and 76% of those companies acknowledge that they could resell it. This makes current automobiles a “privacy nightmare.” 68% of respondents reported hacks, breaches, or leaks within the previous three years, which is alarming.
The Chaos Computer Club (CCC), a well-known German ethical hacking company, discovered the vulnerability. The CCC quickly notified Volkswagen of the vulnerability, allowing the company to secure it before hostile actors exploited it.
Among the targets in Hamburg were over thirty police patrol cars and vehicles linked to intelligence personnel.
The German newspaper Spiegel enlisted journalists and IT specialists to investigate location data obtained from the vehicles of two German politicians, Markus Grübel of the Bundestag and Nadja Weippert.
Researchers identified unprotected Cariad resources containing sensitive files using publicly available tools. One such resource included a memory dump from an internal Cariad application, exposing access keys to an Amazon cloud storage instance.
Data from Volkswagen Group vehicles, such as latitude and longitude coordinates recorded when the electric motor was switched off, had been stored in the cloud.
CCC representatives told Spiegel that Cariad’s technical staff “responded quickly, thoroughly, and responsibly” after getting the breach information. The company replied that it responded within hours to investigate the issue. Cariad found no sign that anyone other than the CCC hackers accessed or exploited the leaked car data.
Cariad clarified that the CCC only had access to data gathered from automobiles, not the actual vehicles. The business also informed Volkswagen Group consumers that they may enable or stop personal data processing-related products and services at any time.
However, Cariad highlighted that gathering data from vehicles is necessary to enhance digital features and providing customers with additional benefits.
This breach adds to a number of other occurrences in the sector. Hacker Sam Curry’s group got access to dealer and staff accounts for BMW in January 2023, revealing private sales records. Mercedes-Benz faced a compromise in its internal chat system, and Kia vehicles were found vulnerable to remote unlocking and starting.
Volkswagen reassured customers that no immediate action was required. However, this incident underscores the urgent need for stronger data security within the automotive industry. Volkswagen has yet to announce specific measures to address the security vulnerability or bolster its defences.
Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Have a look at our free Click-Prone® Test to find out how many of your staff are susceptible to a phishing attack and learn how you can reduce this number today.
