Private information from more than 800,000 electric car owners and drivers may have appeared online

By James On Dec 30, 2024

800,000 VW Group models affected in violation, of which 300,000 from Germany
More than half shared accurate GPS location data
Volkswagen responded quickly and responsibly

Cariad, a subsidiary of Volkswagen’s automotive software company, allegedly left the sensitive data of 800,000 electric vehicles in an unsecured Amazon cloud storage folder, reports claim.

The concerns come after Nadja Weippert, mayor of Tostedt, Lower Saxony, looked into the app she had to download to use the remote functionality of her Volkswagen ID.3.

She found that it collected precise geolocation data every time the car was turned off, creating a detailed picture of where she had been.

VW collects customer data insecurely

The vulnerability was first discovered by a European ethical hacking organization, Chaos Computer Club (CCC), which was informed by a whistleblower. CCC confirmed the problem on November 26 and notified Cariad, giving the company 30 days to make the data inaccessible.

Cariad acknowledged that the problem stemmed from poor configurations in two IT applications, responded within hours and thanked the CCC for its work. CCC spokesperson Linus Neumann praised VW’s software company (via Mirrortranslated with Google Translate): “The Cariad technical team responded quickly, thoroughly and responsibly.”

German publication Mirror revealed that more than half of vehicles (460,000) shared accurate GPS data. Most of the 800,000 affected models were in Germany (300,000), with Norway, Sweden, Great Britain, Netherlands, France, Belgium, Denmark, Switzerland and Austria also home to tens of thousands of affected electric vehicles.

As Volkswagen is the parent company of other popular European brands, Audi, SEAT and Skoda models were also reportedly affected. It is unclear whether CUPRA, Porsche and the other subsidiaries of the VW Group were also affected.

Mirror called the blunder an embarrassment and noted that Volkswagen is already lagging behind its competitors in software.

Despite VW’s unfortunate mistake, nearly a decade after the auto giant was caught lying about the emissions of many of its diesel cars, it is not the only company collecting customer data. In September 2023, we covered Mozilla research showing that 25 major automakers were collecting more data than they needed.

As the boundaries between technology and cars draw ever closer, customers and researchers are rightly expressing increasing safety concerns.