This post is also available in:
עברית (Hebrew)
Volkswagen Group has been embroiled in a significant data breach involving sensitive location and personal information from hundreds of thousands of its electric vehicles. A report by the Chaos Computer Club (CCC) revealed that movement data from 800,000 VW, Audi, Skoda, and Seat electric cars, along with vehicle owners’ contact details, were left unsecured and accessible on the internet for months. This breach was first reported by the German news outlet SPIEGEL.
The data was stored by Volkswagen’s software subsidiary, Cariad, which failed to properly protect it in its cloud storage system, hosted on Amazon. Researchers from the CCC discovered that precise GPS information, such as the locations where cars were parked—at homes, offices, or other locations—was exposed. The data also included details on when the vehicle’s ignition was switched off, potentially giving insights into the habits and movements of vehicle owners.
The breach not only affected ordinary customers but also exposed data belonging to high-profile individuals, including politicians, business leaders, and law enforcement personnel. The CCC identified sensitive information from fleet management companies, corporate board members, and even data from police vehicles. Notably, movement data from 35 police patrol cars in Hamburg was accessible, as well as sensitive intelligence and military data. Among the leaked files were location details from the Federal Intelligence Service (BND) parking garage and the U.S. Air Force base in Ramstein.
Despite claims by Cariad that the data was “pseudonymized” to protect customers’ privacy, SPIEGEL journalists were able to trace personal movements, such as a politician’s frequent visits to specific locations, including a bakery and a sports club.
In response to the leak, Cariad has since closed the exposed instances and reassured the public that no financial or personally identifiable information was compromised. The company also stated that the CCC is the only third-party that had accessed the data, and no evidence of misuse was found. However, the breach highlights serious concerns about data security and the potential risks of sharing such sensitive information.
