fbpx
Industry > Mess

Volkswagen suffers data leak exposing sensitive vehicle location info

Incident highlights risks of modern vehicles and how they use your information

Volkswagen
Volkswagen suffered a data leak. PHOTO FROM VOLKSWAGEN

When Volkswagen introduced its sleek ID. range of electric vehicles and accompanying mobile apps, it promised convenience and innovation. But behind the polished interface of digital progress lies a serious security blunder that has just been brought to light. Sensitive data from around 800,000 EVs was left exposed in an unprotected cloud storage system, making private information accessible to anyone who knew where to look.

This wasn’t just any data—it included precise GPS locations, enabling the tracking of where and when vehicles were parked. Whether it was in front of a private residence, a government building, or even less savory destinations, the information was out in the open. Worse still, this data could often be tied directly to the owners through names and contact details stored alongside it.

Volkswagen
Location data of ID. models was accessible online. PHOTO FROM VOLKSWAGEN

The issue was exposed thanks to a whistleblower who shared the information with Germany’s Chaos Computer Club (CCC), a prominent group known for identifying and reporting cybersecurity vulnerabilities, and several investigative journalists. The exposed data spanned vehicles from Volkswagen and its subsidiaries Audi, Seat, and Skoda across multiple regions, including Europe and beyond. Shockingly, 460,000 of these vehicles had their precise locations logged, creating a treasure trove of information for anyone with malicious intent.

At the heart of the issue is Cariad, Volkswagen’s software subsidiary, tasked with creating a cutting-edge digital platform for its EV lineup. Last summer, Cariad reportedly misconfigured its cloud storage system, leaving this sensitive data easily accessible. Despite handling volumes of data that could rival a small country’s census, the breach went unnoticed until external parties flagged it. And let’s be clear: This wasn’t some obscure or hard-to-access database. A few basic hacking tools, readily available online, could easily reveal the precious chest of data.

The breach underscores a glaring weakness in Volkswagen’s data management and security systems, a sore spot for a company already struggling to keep pace with its competitors in software development and electric cars in general. The timing couldn’t be worse. As automakers rush toward autonomous vehicles and interconnected systems, trust in their ability to protect data is paramount. This incident does little to inspire confidence or help the Germans improve their lagging sales.

Volkswagen
Do you know what your VW reveals about you? PHOTO FROM VOLKSWAGEN

The implications of the breach are staggering. Movement data from these vehicles paints a vivid picture of their owners’ lives. It reveals not only their home addresses but also their routines, favorite hangouts, and even potentially compromising locations. Consider the dangers: Criminals could use the data for targeted phishing scams, posing as Volkswagen representatives to extract payment details. Stalkers and abusers could pinpoint the whereabouts of individuals with alarming accuracy. Even intelligence agencies could find value in tracking vehicles frequenting sensitive locations like government buildings or military bases.

Volkswagen’s response, while swift once informed by the CCC, has left much to be desired. The company attributed the breach to a “misconfiguration” and assured the public that no sensitive information such as passwords or payment details was exposed. But this misses the bigger picture. Location data and personal details are far from harmless. In the wrong hands, they are a goldmine for exploitation.

The CCC has commended Cariad’s technical team for its quick action in resolving the issue once notified. Yet, the question remains: How did such a glaring vulnerability go unnoticed for so long? Modern cybersecurity practices are designed to flag these kinds of exposures before they become full-blown crises. For a company like Volkswagen, which touts its technological advancements, this is a serious egg-on-face moment.

Volkswagen
Do you know what carmakers know about you? PHOTO FROM VOLKSWAGEN

It’s also a stark reminder of a broader issue plaguing the automotive industry. Today’s cars are essentially computers on wheels, collecting a dizzying amount of data through hundreds of sensors. From battery health to driving habits and exact locations, manufacturers hold a detailed dossier on every vehicle. While companies claim these data points are used to improve services and products, transparency about how this information is stored, secured, and shared remains murky.

The Mozilla Foundation’s recent study adds to the grim picture. Examining 25 car brands, the report concluded that modern cars are a “privacy nightmare.” It found that all surveyed brands collect more data than necessary, with most admitting they share or sell this information to third parties. Over two-thirds of these companies had experienced data breaches or other security incidents within the past three years.

Volkswagen isn’t alone in its data woes, but that’s hardly a consolation. Incidents like this raise critical questions: Who owns the data generated by vehicles? The manufacturers? The owners? And what rights do consumers have over this information? The European Union is already taking steps with its upcoming Data Act, which aims to give vehicle owners more control over their data. However, it won’t come into effect until late 2025, leaving a lot of time for more missteps, and of course it doesn’t even cover the Philippines. Maybe it’s time local politicians had a look at this issue and address it where needed.

Volkswagen
Do cars know too much about us? PHOTO FROM VOLKSWAGEN

For Volkswagen, the immediate damage is reputational. The company has long positioned itself as a symbol of German engineering excellence, but this breach further chips away at that image. It also raises doubts about the industry’s readiness for the challenges of a connected future. If automakers can’t secure today’s data, how can they assure us that tomorrow’s autonomous vehicles will be safe from hackers or other malicious individuals?

This fiasco isn’t just a warning for Volkswagen—it’s a wake-up call for the entire industry. Cars are no longer just machines. They are repositories of personal and sensitive information. And with that comes a responsibility that manufacturers can no longer afford to ignore.



Frank Schuengel

Frank is a German e-commerce executive who loves his wife, a Filipina, so much he decided to base himself in Manila. He has interesting thoughts on Philippine motoring. He writes the aptly named ‘Frankly’ column.



Comments