It’s common for modern people to worry about hackers stealing their personal data, but sometimes the most serious incidents are caused not by cybercriminals, but by companies we trust. This time it was the Volkswagen Group that was at fault, which did not provide sufficient protection for customer information.
Image source: vw.com
VW Group stored confidential data related to 800 thousand electric vehicles in the Amazon cloud without providing them with sufficient protection; the information remained vulnerable for several months. Electric vehicles from VW, Audi, Seat and Skoda brands around the world were affected; The vulnerability affected geodata, battery charge information, and key information about the status of the machine, including whether it was working or not. With sufficient technical expertise, a hypothetical attacker could access additional data in VW Group’s online services and link it to the owner’s personal information. In 466,000 of the 800,000 cases, the location data was so precise that it was possible to create a detailed profile of each owner’s daily habits.
The data of not only ordinary citizens was under attack, but also officials: German politicians, entrepreneurs, Hamburg police officers and even, probably, the intelligence service. The vulnerability arose in the summer of 2024, when Cariad, the company responsible for VW Group software products, made an error. It was discovered by an anonymous expert who confirmed the vulnerability and notified Europe’s largest hacker association, Chaos Computer Club (CCC), about the incident. The organization immediately notified the data protection commissioner in Lower Saxony, the Ministry of Internal Affairs and other security authorities – the departments gave VW Group and Cariad 30 days to fix the problem, after which they promised to make information about it public. Cariad “responded quickly, thoroughly and responsibly” by blocking unauthorized access to customer data, CCC said.
Cariad subsequently assured customers that sensitive information, including passwords and payment details, had not been compromised and therefore no action was required on their part. German politicians were extremely concerned about the incident and called on automakers to strengthen cybersecurity measures.