A major security breach at Volkswagen's software subsidiary Cariad has exposed sensitive location data and personal information of approximately 800,000 electric vehicles across Europe, raising serious privacy concerns.
The breach, which persisted for several months, revealed detailed GPS coordinates and vehicle owners' personal details through an unprotected Amazon cloud storage system. The exposed data affected vehicles from multiple brands including Volkswagen, Audi, Seat, and Skoda.
For nearly 460,000 vehicles, precise location tracking data was directly linked to owners' names, email addresses, and mobile phone numbers. The breach impacted various high-profile individuals, including politicians, business leaders, and law enforcement personnel. In one notable instance, approximately 35 electric patrol vehicles belonging to the Hamburg Police had their movement data compromised.
The exposed information went beyond simple location tracking, revealing battery levels, inspection records, and exact timestamps of vehicle usage. The precision of tracking varied by brand - VW and Seat vehicles could be pinpointed within 10 centimeters, while Audi and Skoda vehicles were tracked within a 10-kilometer radius.
The security flaw was discovered when hidden subpages on Cariad's websites were found accessible using standard tools. Most concerning was an unprotected storage dump containing unencrypted access credentials to Amazon cloud storage, effectively providing unrestricted access to all vehicle data.
The breach posed serious risks for potential misuse. The data could have enabled tracking of vehicles near sensitive locations like intelligence service buildings or military installations. It also created opportunities for sophisticated phishing attacks and stalking by revealing detailed movement patterns of vehicle owners.
After being alerted by the Chaos Computer Club, Cariad promptly addressed the security gap. The company characterized the incident as a "misconfiguration" and stated that no evidence of data misuse has been found to date.
Cariad's swift response earned praise from Chaos Computer Club spokesperson Linus Neumann, who acknowledged the company's quick and thorough handling of the situation once notified.