A massive data leak involving over 800,000 Volkswagen electric vehicles (EVs) has left sensitive user information, including location data and personal contact details, unprotected on the internet. Discovered by a whistleblower and reported by Der Spiegel, the breach highlights significant security shortcomings at VW’s software subsidiary Cariad, exposing vulnerabilities in modern vehicle data handling.
GPS locations exposed
The data breach, which remained unnoticed by VW for months, involved precise GPS data and personal information linked to owners of VW, Audi, Seat, and Škoda vehicles. Stored on an unprotected Amazon Cloud server, this dataset allowed anyone with basic technical skills to access:
- Detailed location logs showing exactly where and when cars were parked.
- Personal information of owners, such as names, email addresses, and phone numbers.
- Insights into users’ routines, workplaces, leisure spots, and even sensitive visits, such as government offices, hospitals, and private establishments.
This exposed data posed risks for exploitation by criminals, espionage actors, or hackers, according to Linus Neumann of the Chaos Computer Club (CCC), who equated the situation to leaving “a massive keychain under a flimsy doormat.”
The breach impacted not only individual users but also institutional entities.
Der Spiegel's report highlights the following cases:
- Politician Nadja Weippert, a member of the Green Party and privacy advocate, discovered her movements were meticulously recorded and linked to identifiable personal details. She described the situation as “shocking.”
- Markus Grübel, a CDU Bundestag member, expressed similar concerns, noting the event undermines trust in the auto industry.
- The Hamburg Police, with 35 EVs in their fleet, were among the affected parties.
Data from several countries, including Germany, Israel, and Ukraine, was accessible. In some cases, the GPS data was precise to within 10 centimeters.
Cariad, Volkswagen’s software arm responsible for the data handling, referred to the breach as a “misconfiguration” rather than a security flaw. The CCC had provided VW with 30 days to address the issue before making it public. VW responded promptly to close the breach and investigate further.
Cariad defended its practices, claiming the data was pseudonymized and not intended for user profiling. However, the combination of datasets by security researchers showed how easily individuals could be identified. This incident raises broader concerns about how modern vehicles and their makers collect, store, and secure data.
This latest security lapse at Volkswagen underscores an ongoing pattern of systemic vulnerabilities in the company’s IT infrastructure and data handling practices.
VW's security failures
Similar concerns have been raised in past reports, including
a 20-year flaw in dealership software that exposed customer data, a five-year
espionage operation by Chinese hackers targeting VW’s intellectual property, and critical
vulnerabilities in vehicle systems that allowed remote engine disruption and data theft. Collectively, these incidents highlight the urgent need for VW and other automakers to prioritize cybersecurity as a foundational aspect of their digital and connected services.
