For months, the precise location data of approximately 800,000 electric Volkswagen vehicles was accessible online due to a significant data leak, as reported by German news outlet Der Spiegel.
The vulnerability stemmed from software integrated into Volkswagen vehicles, potentially allowing malicious actors to trace drivers’ movements in real time.
The issue wasn’t limited to Volkswagen alone; it also impacted vehicles from other brands under the company’s umbrella, including Audi, Seat, and Skoda, according to Electrek. The leak was brought to light by a whistleblower who alerted both Der Spiegel and the Chaos Computer Club, a European hacking collective, prompting further investigation.
Der Spiegel discovered that the breach originated from Cariad, Volkswagen’s software subsidiary, and involved driver data stored on Amazon’s cloud platform. This data included the precise locations of vehicles, records of when they were powered on and off, and, in some cases, sensitive personal information like driver emails, phone numbers, and addresses.
The accuracy of the leaked location data varied: for Volkswagen and Seat models, it was precise within ten centimeters, while for Audi and Skoda vehicles, the accuracy was within 10 kilometers (~6 miles).
In response, Cariad assured affected customers that passwords and payment information were not compromised and that no immediate action was required. However, neither Cariad nor Volkswagen has provided further comments as of now.
The incident highlights growing concerns over the vast amounts of data modern vehicles collect and the risks it poses to privacy. Mozilla recently described modern cars as “privacy nightmares,” pointing to their extensive data collection practices. This breach adds to mounting scrutiny of automakers over their handling of customer data and cybersecurity practices.
