A significant data breach at Volkswagen (VW) exposed the real-time locations of approximately 800,000 electric vehicles (EVs) for several months, according to a report by German news magazine Der Spiegel. The global incident affected owners of VW, Audi, Seat, and Skoda EVs, revealing their vehicles’ locations whether at home, on the road, or parked.
VW collects data, including GPS coordinates, through its mobile app. After setup, the app allows owners to preheat their cars, monitor battery levels, and check remaining range. Der Spiegel reports this data collection creates a detailed profile of an individual’s daily movements.
The data became publicly accessible due to an error, exposing terabytes of information linked to around 800,000 EVs on Amazon’s cloud storage system. Der Spiegel claims they replicated the vulnerability and stated accessing the system wouldn’t have been difficult for malicious actors.
The exposed data potentially included vehicle location, owner names, contact details, email addresses, home addresses, and in some instances, even cell phone numbers.
The breach reportedly stemmed from an oversight by Cariad, a VW subsidiary responsible for the EV software platform. The error, introduced last summer, remained unnoticed until a whistleblower alerted Der Spiegel and the Chaos Computer Club.
Der Spiegel highlights potential misuse of the data, including tracking by foreign intelligence or blackmail based on location history.
Cariad states it collects pseudonymized data on charging behavior and habits to improve batteries and software. They claim no sensitive data like passwords or payment details were compromised. VW offers a deactivation option for online services requiring personal data processing. VW has not yet publicly commented on the incident. MaagX has contacted the automaker for a statement.
This incident underscores growing concerns about data collection by automakers, facilitated by advancements in vehicle connectivity and sensor technology. This issue has largely gone unnoticed by the public, highlighting the need for greater privacy awareness in the automotive industry.
