- Sensitive information of 800,000 VW Group vehicle owners was found to be easily accessible online.
- EVs from VW, Audi, Seat, and Skoda were affected in Germany, Europe, and other parts of the world.
- The data breach was discovered by an anonymous whistleblower using freely accessible software.
Many people worry about hackers stealing their personal data, but sometimes, the worst breaches come not from shadowy cybercriminals but straight from the companies we trust. According to a new report from Germany, the VW Group stored sensitive information for 800,000 electric vehicles from various brands on a poorly secured Amazon cloud—essentially leaving the digital door wide open for anyone to waltz in. And not just briefly, but for months on end.
The breach impacts fully electric models across Audi, VW, Seat, and Skoda brands, affecting vehicles not just in Germany but throughout Europe and other parts of the world. Among the treasure trove of exposed data were GPS coordinates, battery charge levels, and other key details about vehicle status, like whether it was switched on or off. That’s right, someone with the right know-how could casually snoop on your car’s whereabouts and habits.
How Bad Is It? Really Bad.
It gets worse. A more tech-savvy user could reportedly connect vehicles to their owners’ personal credentials, thanks to additional data accessible through VW Group’s online services
Crucially, in 466,000 of the 800,000 cases, the location data was so precise that anyone with access could create a detailed profile of each owner’s daily habits. As reported by Spiegel, the massive list of affected owners isn’t just a who’s-who of regular folks. It includes German politicians, entrepreneurs, Hamburg police officers (the entire EV fleet, no less), and even suspected intelligence service employees. Yes, even spies may have been caught up in this digital debacle.
The Cause: A Software Fumble
This glaring error originated from Cariad, a VW Group company that focuses on software, due to an error that occurred in the summer of 2024. An anonymous whistleblower used freely accessible software to dig up the sensitive information and promptly alerted Chaos Computer Club (CCC), Europe’s largest hacker association.
CCC wasted no time contacting Lower Saxony’s State Data Protection Officer, the Federal Ministry of the Interior, and other security bodies. They also gave VW Group and Cariad 30 days to address the issue before going public. According to CCC, Cariad’s technical team “responded quickly, thoroughly and responsibly”, blocking unauthorized access to its customers’ data.
More: VW Slashes Manager Bonuses By 10% For Two Years, Plans More Cuts Through 203
In a statement to Spiegel, Cariad reassured customers that no sensitive data—such as passwords or payment information—was exposed, emphasizing that they “don’t need to take any action, as no sensitive information like passwords or payment data is affected”. However, the publication raised concerns about how easily this data could have fallen into the wrong hands, including criminals, fraudsters, blackmailers, or even stalkers, posing a serious threat to the affected EV owners
“Shocked” Politicians Demand Action
Understandably, German politicians weren’t thrilled to find themselves on the list of affected parties. One politician who reviewed her leaked data with Spiegel called the findings “shocking,” while another bluntly described the incident as “annoying and embarrassing.” Both urged local automakers to drastically improve their cybersecurity game.
This is not the first time such an incident involving a major automaker occurs, compromising the privacy of its customers. Last year, Toyota admitted a major data breach incident involving 2.15 million owners in Japan.
Unfortunately, this isn’t the first time an automaker has fumbled customer data. Just last year, Toyota admitted to a massive breach affecting 2.15 million vehicle owners in Japan. Clearly, the automotive industry has a steep learning curve when it comes to protecting user data in the cloud.
Sometimes, though, it’s not even about a security breach. A bombshell report from The New York Times earlier this year revealed that numerous carmakers—including GM, which is now facing lawsuits over the issue—were selling driver data to the insurance industry, leading to higher premiums for many drivers.
Can Automakers Fix This Mess?
The stakes couldn’t be higher. As connectivity features and cloud-based services become standard in modern vehicles, automakers need to ensure they’re doing more than playing catch-up. If customers can’t trust companies to protect their privacy, they may think twice about embracing these high-tech features altogether.
It’s time for the auto industry to treat cybersecurity with the same urgency as crash safety—because right now, it seems some companies are still driving with their digital windows rolled down.
