A serious data leak exposed the locations and personal details of approximately 800,000 electric Volkswagen vehicles for months, leaving sensitive driver information accessible online. According to the German magazine Der Spiegel, the issue originated from vulnerabilities in the software installed in Volkswagen vehicles, potentially allowing malicious actors to track drivers’ precise movements.
Data breach affects Volkswagen and affiliated brands
The breach affected Volkswagen vehicles and electric models from other Volkswagen brands, including Audi, Seat, and Skoda. A whistleblower uncovered the vulnerability and alerted Der Spiegel and the European hacking group Chaos Computer Club. Their investigation revealed the flaw in Cariad, a Volkswagen subsidiary responsible for the automaker’s software.
Cariad’s flawed system reportedly allowed external access to sensitive data stored in Amazon’s cloud. This included vehicle activity, such as when cars were powered on or off, and personal driver details like names, email addresses, phone numbers, and physical addresses. In some cases, the location data was alarmingly precise—accurate to within 10 centimetres for Volkswagen and Seat models and within six miles for Audi and Skoda vehicles.
Volkswagen responds to privacy concerns
The leaked data raised significant concerns about the security of modern vehicles and the vast amount of personal information they collect. While the exposure of exact locations and driver contact details poses clear risks, Cariad assured customers that no sensitive information, such as payment details or passwords, was involved. A statement to Der Spiegel stressed that affected customers do not need to take any immediate action.
However, the leak has sparked renewed scrutiny over how car manufacturers manage and safeguard the extensive data generated by today’s vehicles. Mozilla recently referred to modern cars as “a privacy nightmare,” highlighting the risks associated with the increasing digitisation of the automotive industry. Privacy advocates urge automakers to take greater responsibility for protecting customer data and improving transparency.
Volkswagen has not provided additional comments, and efforts to contact Cariad for further clarification were unsuccessful. Despite the company’s assurances, the incident has heightened awareness of potential vulnerabilities in connected vehicles, reminding consumers to be cautious about the data they share.
