A major data breach at Volkswagen Group has compromised sensitive personal information of approximately 800,000 electric vehicle owners across Europe, the company confirmed. The breach exposed detailed location data and contact information of customers who own electric vehicles from Volkswagen, Audi, Seat, and Skoda brands.
The security lapse occurred due to a misconfiguration in an Amazon cloud storage system managed by Cariad, Volkswagen's software subsidiary. The unprotected data remained accessible online for several months before being discovered by an anonymous hacker, who reported it to the Chaos Computer Club (CCC), a prominent European ethical hacking organization.
The exposed information included precise vehicle location data, timestamps of when EVs were switched on and off, email addresses, phone numbers, and home addresses of car owners. For about 460,000 Volkswagen and Seat vehicles, location tracking was accurate within 10 centimeters, while Audi and Skoda vehicles had location accuracy up to 10 kilometers.
Among those affected were German politicians, business leaders, and even the Hamburg police force's entire electric vehicle fleet. The breach impacted vehicles across multiple European countries, including Germany, Norway, Sweden, the UK, the Netherlands, France, Belgium, and Denmark.
Cariad reportedly addressed the security flaw immediately after being notified by the CCC. Volkswagen stated that no customer payment details or login credentials were compromised in the breach. However, the company's claim that accessing the information required "bypassing several security mechanisms" has been questioned by cybersecurity experts.
The incident has raised serious concerns about data protection practices in the automotive industry, particularly as vehicles become increasingly connected and data-dependent. This breach follows a 2023 Mozilla study that labeled car manufacturers' data collection practices as a "privacy nightmare."
For affected customers, while Volkswagen asserts no immediate action is required, the incident highlights the growing challenges of protecting personal data in modern vehicles and cloud-based systems.