In a recent development reported by the German news outlet Spiegel, a significant security breach has come to light affecting a vast number of Volkswagen Group electric vehicle (EV) owners. The breach, which involved the exposure of sensitive location data for approximately 800,000 EVs, including models from Volkswagen, Audi, SEAT, and Skoda, was found to have been left unprotected on an unsecured cloud server for an extended period.
The discovery of this vulnerability was made by an unidentified whistle-blower who subsequently informed the Chaos Computer Club (CCC), a well-known European hacker association. This exposed data included personal information such as GPS coordinates and vehicle status for owners of VW ID.3 and ID.4 models, stored on an unsecured Amazon cloud server. This lapse in security essentially allowed individuals with the necessary technical knowledge to track the movements and habits of affected owners, posing serious privacy risks.
The impacted EVs were spread across various locations globally, with a majority of them being situated in Germany and other parts of Europe. Notably, the affected owners encompassed not just ordinary citizens but also high-profile individuals like German politicians, police officers, and suspected intelligence service employees. This breach highlights the potential dangers posed by such lapses in data security, as was also evident in a similar incident in October 2023 when over 500,000 Irish Police vehicle seizure records were exposed due to a third-party contractor breach.
The repercussions of this exposure extended beyond mere location tracking of vehicles. By linking the vehicle data with other personal details, the researchers were able to gain intricate insights into the daily routines of affected owners. For instance, the report by Spiegel outlined how they were able to track the precise movements of notable figures such as German politicians and a mayor, shedding light on their activities at various locations.
In addition to location tracking, the data breach also unveiled terabytes of information stored on Amazon cloud storage, revealing the exact whereabouts of 460,000 vehicles and potentially compromising crucial details of their owners. The exposed data reportedly included information on electric cars used by the Hamburg police department, politicians, business leaders, Federal Intelligent Services employees, and drivers from the US Air Force’s Ramstein Air Base.
The primary cause of this security lapse was attributed to Cariad, the Volkswagen Group’s software division, where a system misconfiguration led to unauthorized access to the sensitive data. While Cariad confirmed that no financial or personally identifiable information was compromised, the potential misuse of the exposed location data remains a significant concern. Cybercriminals could exploit this information for malicious purposes such as stalking, blackmail, or even physical threats.
Upon learning of the breach, the CCC promptly notified relevant authorities and gave VW Group and Cariad a 30-day window to address the issue before making it public. In response, Cariad’s technical team took prompt action to block unauthorized access to customer data, demonstrating a commitment to resolving the security incident.
This incident serves as a reminder of the critical importance of robust data security measures, particularly in the realm of connected vehicles and IoT devices. It underscores the need for thorough security protocols and continuous monitoring to safeguard sensitive information and protect the privacy of individuals in an increasingly digitized world.