A massive data leak involving over 800,000 Volkswagen electric vehicles (EVs) has left sensitive user information, including location data and personal contact details, unprotected on the internet. Discovered by a whistleblower and reported by Der Spiegel, the breach highlights significant security shortcomings at VW’s software subsidiary Cariad, exposing vulnerabilities in modern vehicle data handling.
GPS locations exposed
The data breach, which remained unnoticed by VW for months, involved precise GPS data and personal information linked to owners of VW, Audi, Seat, and Škoda vehicles. Stored on an unprotected Amazon Cloud server, this dataset allowed anyone with basic technical skills to access:
- Detailed location logs showing exactly where and when cars were parked.
- Personal information of owners, such as names, email addresses, and phone numbers.
- Insights into users’ routines, workplaces, leisure spots, and even sensitive visits, such as government offices, hospitals, and private establishments.
This exposed data posed risks for exploitation by criminals, espionage actors, or hackers, according to Linus Neumann of the Chaos Computer Club (CCC), who equated the situation to leaving “a massive keychain under a flimsy doormat.”
The breach impacted not only individual users but also institutional entities. Der Spiegel's report highlights the following cases:
- Politician Nadja Weippert, a member of the Green Party and privacy advocate, discovered her movements were meticulously recorded and linked to identifiable personal details. She described the situation as “shocking.”
- Markus Grübel, a CDU Bundestag member, expressed similar concerns, noting the event undermines trust in the auto industry.
- The Hamburg Police, with 35 EVs in their fleet, were among the affected parties.
Data from several countries, including Germany, Israel, and Ukraine, was accessible. In some cases, the GPS data was precise to within 10 centimeters.
Cariad’s Response
In response to the breach, Cariad, Volkswagen’s software arm, acknowledged the issue, stating that the Chaos Computer Club (CCC) had pointed out a misconfiguration in two IT applications on November 26, 2024. The company acted promptly to close the vulnerability the same day. The misconfiguration, which had allowed access to pseudonymized vehicle data, no longer exists.
Cariad emphasized that the data involved was not sensitive personal information like passwords or payment details, and no vehicles or services were impacted. Only certain vehicle data from online-connected cars were affected. The company also confirmed that no unauthorized third-party access occurred, and they have reported the incident to relevant authorities.
Cariad clarified that the data, such as charging behavior and habits, was anonymized and used to improve future vehicle features, such as battery and charging software. No personal user profiles were created, and customers had the option to disable online services at any time.
VW assured customers that all data processing is conducted in compliance with legal requirements and customer consent, with strong privacy measures in place, including data separation, pseudonymization, and strict data usage limits.
However, this latest security lapse at Volkswagen underscores an ongoing pattern of systemic vulnerabilities in the company’s IT infrastructure and data handling practices.
VW's security failures
Similar concerns have been raised in past reports, including a 20-year flaw in dealership software that exposed customer data, a five-year espionage operation by Chinese hackers targeting VW’s intellectual property, and critical vulnerabilities in vehicle systems that allowed remote engine disruption and data theft. Collectively, these incidents highlight the urgent need for VW and other automakers to prioritize cybersecurity as a foundational aspect of their digital and connected services.
Thomas
“VW assured customers that all data processing is conducted in compliance with legal requirements and customer consent,
… and they are blatantly lying. Not only that, they know they are doing that.
There’s no such thing as ‘Can we track every movement you make for ever and keep that data for ever?’
Which is what they do and GDPR demands they have to say it in plain English. They don’t.
Which also means the *do not have* customer consent in any sense GDPR *requires* them to have.
These a**holes of course know it is so, they aren’t stupid, they’re criminals.