Volkswagen leak exposes private information of 800,000 EV owners, including location data

[midian182]

Facepalm: In another illustration of the dangers of our connected-car age, a data leak by a Volkswagen subsidiary revealed information, including location data, of 800,000 EV owners. The exposed data was available online, with VW, Audi, Seat, and Skoda owners affected.

The private data from Cariad, which makes VW software, was accessible online for several months, according to German publication Spiegel Netzwelt. It included contact information along with movement data for owners of Volkswagen vehicles and the company's other car brands in Germany, Europe, and other parts of the world.

In some cases, the data included emails, phone numbers, and addresses of drivers. There were also details about where the EVs had been started and switched off.

For 460,000 of the 800,000 vehicles that made up the leak, the location data was accurate to within ten centimeters (3.9 inches) for Volkswagen and Seat vehicles, and within 10km (6.2 miles) for Audi and Skoda EVs. Spiegel writes that German politicians, entrepreneurs, and the entire EV fleet driven by Hamburg police were included on the list of owners, and it's even suspected that intelligence service employees were also part of the leak.

As we've seen many times before with these sorts of incidents, the data was accessible due to it being left on an unprotected and misconfigured Amazon cloud storage service.

The leaked information is reported to have come from the software used in Volkswagen EVs. The data was highlighted by the hacker association Chaos Computer Club (CCC), which was tipped off by an anonymous hacker. The club contacted Germany's Federal Ministry of the Interior and the state police, which gave Volkswagen and Cariad 30 days to address the situation before going public.

Volkswagen says the error has now been rectified and the information is no longer accessible. It adds that passwords and payment information were not part of the leak, and that only select vehicles registered for online services were initially at risk.

The automaker also said that the data was accessed in a very complex, multi-stage process, and that the CCC hackers could only access pseudonymized vehicle data after bypassing several security mechanisms, which required a high level of expertise and a considerable investment of time.

This isn't the first leak of this kind for a car maker. In 2023, Toyota apologized after discovering that a misconfigured server had been exposing some customer data on the web for nearly a decade.

These incidents highlight the issues that come with connected cars and the sharing of customer info. A study by Mozilla in 2023 found that all 25 car brands investigated collect too much personal data and use it for a reason other than to operate your vehicle and manage their relationship with the customer. Mozilla's conclusion was that modern cars are a "privacy nightmare."

Permalink to story:

Volkswagen leak exposes private information of 800,000 EV owners, including location data

 

[brucek]

If VW is still transmitting the location data from the car to a centralized location; and continuing to store that location data; then that's two errors that have not been corrected.

Did they disclose before sale, and gain consent, to do these things? Are they required to under GDPR or other protections?

 

[yRaz]

I have a feeling that removing the vehicles ability to communicate collected driver data will become a popular mode in the future. Gentle 12v to the wrong pin on the cars modem and, problem solved.

If VW is still transmitting the location data from the car to a centralized location; and continuing to store that location data; then that's two errors that have not been corrected.

Did they disclose before sale, and gain consent, to do these things? Are they required to under GDPR or other protections?

Have you forgotten what a EULA is? You naughty, boy, you. How dare you expect companies to be forthright with information that could possible impact sales.

 

[BadThad]

It never ends, everyone has all ready had their ID data stolen by haxors. The best thing you can do is simply lockdown your credit/accounts and let 'em try. I have a darn good "firewall" because I already know my info is on the scary "dark web". So far haxors gotten NOTHING out of me. The few times in my life where my CC was hacked (and I'm an OG web user), I lost nothing and owed nothing in the end. I'm as careful and tight as anyone can be but I don't live in fear. As long as you shore-up that last step or two they have to take when trying to steal your money, you're good.

In this case, I hope the haxors have fun stroking off to people's records of going to work, stores, friends, check engine light, door ajar, etc. LOLOLOLOL

 

[Theinsanegamer]

I have a feeling that removing the vehicles ability to communicate collected driver data will become a popular mode in the future. Gentle 12v to the wrong pin on the cars modem and, problem solved.


Have you forgotten what a EULA is? You naughty, boy, you. How dare you expect companies to be forthright with information that could possible impact sales.

There's a much easier and less destructive way, that is placing a faraday box over the antennae. It's how thieves steal Dodge cars with no trace, place the faraday over the antennae and BOOM no GPS or phone home connectivity possible.

 

[yRaz]

There's a much easier and less destructive way, that is placing a faraday box over the antennae. It's how thieves steal Dodge cars with no trace, place the faraday over the antennae and BOOM no GPS or phone home connectivity possible.

It's a matter of principle for me

 

[p51d007]

And of course, your INSURANCE carrier already has access to your driving history.

 

[RudyBob]

If you buy a VW you deserve it

 

[toooooot]

Is it the new minivan on the front picture? I simply love that car, even if it is a shitty EV.

 

[Theinsanegamer]

Is it the new minivan on the front picture? I simply love that car, even if it is a shitty EV.

Yes that is the ID buzz.

If you buy a VW you deserve it

A VW is like a ford except built by people with more then 3 brain cells.

It's a matter of principle for me

I'd sooner do the cage OR pull the fuze. Permanent damage hurts trade in value and/or warranty coverage. Plus the way things are tied in together these days, you never know what else might break.if you short it.

 

[RudyBob]

Yes that is the ID buzz.
A VW is like a ford except built by people with more then 3 brain cells

My Dad once told me the FORD stood for Fix or Repair Daily

 

[Theinsanegamer]

My Dad once told me the FORD stood for Fix or Repair Daily

We've had 3 in the family.

first gen escort - lasted 54k miles before obliterating its head gasket and destroying the cooling system with oil pollution
second gen escort - the GOAT. in 187,000 miles, it needed a clutch under warranty at 5k miles, and an O2 sensor at 109k. That was it. Just ran and ran and ran. Sold it, still see it around town. Has to have it 300k by now.
F-250 - been a constant part muncher. Granted it is 35 years old and spent the better part of a decade sitting, but from having bad axle bearings to bad axle seals to leaking transmission gaskets and a ghost battery drain. The adage of "low mile doesnt mean low cost" applies here.

If that truck wasnt so damn cool I'd have sold it by now. That and replacement trucks are $30k and new parts are like $200 tops.

My VW has been great. Everyone would make you think that they fall apart by 40k miles and you should never own one for more then 3 years. I'm at 4, with 25k nearly all short range city miles, 0 issues. Dad bought the same car, its at 72k miles with one O2 sensor under warranty. So far we love them. For the price there was nothing that could beat them, tempting as the R/T charger was.

 

[Underdog]

Any of the ideas to kill the telemetry on a car might just trigger a response that shuts the car down, making it useless to the owner. You bought it but you don't own it.

 

[toooooot]

Any of the ideas to kill the telemetry on a car might just trigger a response that shuts the car down, making it useless to the owner. You bought it but you don't own it.

It could make carjacking impossible. I know a state that will pay in gold for it.

 

[Theinsanegamer]

Any of the ideas to kill the telemetry on a car might just trigger a response that shuts the car down, making it useless to the owner. You bought it but you don't own it.

As of now, there is only a single brand that has such a feature, and it is optional. That would be Tesla with their PIN-to-drive system.

 

[ScottSoapbox]

Any of the ideas to kill the telemetry on a car might just trigger a response that shuts the car down, making it useless to the owner. You bought it but you don't own it.

The difference between this response and theirs is knowledge of how things work.

If you don't know how cars work, it doesn't matter if you own your car because the mechanics own you.

 

[mountains]

There have now been a few studies that show this big money market is possibly the worst at protecting user privacy.

I am no fan of government oversight, but the Free World needs the Left and Right to stop arguing with each other and get governments to step up to protect citizens. Big Auto, including the "new" companies, should not be allowed to invade your privacy so much, then force you to sign a long EULA to cover themselves.

Side note: Can you put a Pi-Hole in a car?