800,000 VW Group models affected in breach, 300,000 of which from Germany

More than half were sharing precise GPS location data

Volkswagen responded promptly and responsible

Cariad, a subsidiary of Volkswagen’s automotive software reportedly left the sensitive data of 800,000 electric vehicles exposed in an unsecured Amazon cloud storage folder, reports have claimed.

The concern comes after Nadja Weippert, Mayor of Tostedt, Lower Saxony, delved into the app she was required to download to use the remote functionality of her Volkswagen ID.3.

She found that it was collecting precise geolocation data every time the car was turned off, creating a detailed picture of where she had been.

VW collecting customer data insecurely

The vulnerability was first discovered by a European ethical hacking organization, Chaos Computer Club (CCC), which was informed by a whistleblower. CCC confirmed the issue on November 26 and notified Cariad, giving the company 30 days to make the data inaccessible.

Cariad acknowledged the issue stemmed from poor configurations in two IT applications, responding within just hours and thanking the CCC for its work. CCC spokesman Linus Neumann praised VW’s software firm (via Spiegel, translated with Google Translate): "The Cariad technical team responded quickly, thoroughly and responsibly.”

German publication Spiegel revealed that more than half of the vehicles (460,000) were sharing precise GPS data. Most of the 800,000 affected models were located in Germany (300,000), with Norway, Sweden, the UK, the Netherlands, France, Belgium, Denmark, Switzerland and Austria also being home to tens of thousands of affected electric vehicles.

Because Volkswagen is the parent company of other popular European brands, Audi, SEAT and Skoda models were also reportedly affected. It’s unclear whether CUPRA, Porsche and VW Group’s other subsidiaries were also affected.

Spiegel called the blunder a disgrace, noting that Volkswagen is already lagging behind rivals in the software space.

Despite VW’s unfortunate mistake close to a decade after the automotive giant was caught lying about the emissions of many of its diesel cars, it’s not the only company collecting customer data. In September 2023, we covered Mozilla research revealing that 25 major car manufacturers were collecting more data than they needed.

As the boundaries between tech and cars draw ever nearer, customers and researchers are rightly raising more and more security concerns.