German auto giant Volkswagen Group suffered a massive data leak that, for months, exposed the personal information of 800,000 electric vehicle owners. Over half of the exposed vehicles leaked precise location data with pinpoint accuracy.
Security researchers who detailed the data leak at the Chaos Computer Club on December 27, 2024, say the data breach stemmed from the company’s failure to secure an AWS environment.
The researchers used various tools such as Subfinder, GoBuster, and Spring to retrieve the heap dump from a Java Virtual machine intended for monitoring and reporting.
Volkswagen data leak exposed PII and precise location data
The Volkswagen data leak exposed personal information such as names, dates of birth, email addresses, phone numbers, physical addresses, and car details such as model, year, VIN, and user ID.
It also included details about electric vehicles, such as the odometer, battery temperature, battery status, charging status, and warning light data. One of the exposed files also contained Volkswagen’s AWS credentials.
Over half of the exposed vehicle data, precisely 460,000, included precise location data, with an accuracy of ten centimeters for the Seats brand and about six miles (10km) for Audi and Skoda models.
However, the data leak did not expose passwords and payment information. Affected vehicles were mainly in Germany, Norway, Sweden, the United Kingdom, and other countries.
The data leak affected Volkswagen’s ailing software unit, Cariad. The Volkswagen subsidiary says it has fixed the problem and found no evidence that anyone other than the cybersecurity researchers accessed the exposed data.
Volkswagen also said the Chaos Computer Club hackers breached the system “only by bypassing several security mechanisms, which required a high level of expertise and a considerable investment of time.”
Additionally, the company claimed the researchers could only infer pseudonymized personal details, making the PII and location data leak less significant.
However, the leaked email addresses and phone numbers could allow threat actors to carry out phishing attacks. Cybercriminals could also use location data to extort individuals who frequent secret locations.
The location data leak could also allow malicious actors to do random check-ins at parked car locations, hoping to find vehicles and individuals to victimize.
Excessive location data collection
Meanwhile, one of the security researchers behind the discovery criticized Volkswagen for collecting too much data, which adds a security and regulatory compliance risk and complexity.
“They were collecting far too much data,” said Flüpke. “If you want to evaluate battery safety, then you don’t need location data.”
However, he faulted some jurisdictions, such as the European Union, for requiring electric vehicle manufacturers to collect and share certain information, such as location data, for emergencies.
Nonetheless, Cariad has suffered numerous software issues, including delays that forced the auto giant to use Google’s Android Automotive to integrate various services, such as Maps and Assistant.
Volkswagen is also no stranger to data breaches. In March 2023, it disclosed that it was the victim of the third-party Speroni data breach, which affected Lamborghini as well as unrelated Italian brands such as Ferrari.
