Volkswagen‘s software subsidiary, Cariad, unintentionally exposed sensitive data from approximately 800,000 electric vehicles, compromising customer information such as names and detailed location data.
Massive volumes of customer information were left unsecured in Amazon cloud storage for months, allowing even individuals with minimal technical expertise to track drivers’ movements or access personal data potentially.
The databases included details from VW, Seat, Audi, and Skoda vehicles. For some models, geo-location data was accurate to within centimeters, significantly increasing the potential for misuse.
Misconfigured Applications Lead to Data Leak
According to a Cariad representative speaking to BleepingComputer, the issue stemmed from improper configurations in two IT applications. The Chaos Computer Club (CCC), Europe’s largest ethical hacker organization, reported the vulnerability on November 26.
The CCC, informed by a whistleblower, verified the insecure access before responsibly disclosing the issue to Cariad and Volkswagen, along with technical details to address the problem.
Scope of Exposure and High-Profile Implications
Of the 800,000 affected vehicles, researchers found precise geo-location data for 460,000, including data on Hamburg police patrol cars and suspected intelligence agency vehicles. Exposed location data also identified high-profile individuals, such as politicians Nadja Weippert and Markus Grübel.
Investigators uncovered that the data was stored on an Amazon cloud instance, accessible due to credentials found in a memory dump from an internal Cariad application. Some data points even revealed exact car locations when their electric motors were turned off.
For VW and Seat models, geo-location accuracy was within 10 centimeters, whereas Audi and Skoda data had a less precise 10-kilometer range.
Quick Response and Fixes
After receiving the CCC’s report, Cariad swiftly closed the vulnerability the same day. The CCC confirmed the company’s prompt and responsible action, stating that no evidence suggested misuse of the data by any party besides their ethical hackers.
Protecting Customer Data While Enabling Innovation
Cariad assured customers that the leaked data only included information collected from vehicles connected to the internet and registered for online services. The company emphasized that data was pseudonymized, and additional effort was required to associate details with individual users.
Although the exposed data did not compromise the vehicles themselves, the breach has raised questions about the balance between privacy and innovation. Cariad highlighted that data collection enables the development of advanced digital features and the improvement of battery technology and charging solutions.
“Without this data, smart, digital, and personalized functions could not be provided, optimized, or expanded,” the company stated.
Volkswagen Group brands operate within legal regulations for data collection, ensuring customer consent and allowing users to deactivate data-sharing features. Cariad maintains that robust data protection practices, including pseudonymization, anonymization, and strict access controls, are in place to safeguard customer information.
This incident underscores the importance of strong cybersecurity measures in the automotive industry as cars become increasingly connected and data-reliant.
