Volkswagen Subsidiary Leak Exposes Personal, Location Data

Volkswagen Group is at the centre of a massive data leak incident, after one of its subsidiaries reportedly exposed customer data online for months.

Cariad is the software unit at Volkswagen. According to a report from Der Spiegel (also covered by Electrek), for months, the location information of around 800,000 electric Volkswagen vehicles was available online due to a data leak.

The leak reportedly stemmed from the software running inside Volkswagen vehicles, and was so serious it could have allowed bad actors to track a driver’s exact movements.

To industry observers this leak may not be surprising, as car manufacturers are increasingly being confronted for failing privacy safeguards of their vehicles. In September 2023 for example, the Mozilla Foundation revealed a ‘privacy nightmare’, after it reviewed 25 global car brands, all of which (for the first time) had failed its privacy tests.

Automotive privacy

The Mozilla research found that popular car brands – including BMW, Ford, Toyota, Tesla, Kia, and Subaru – can collect deeply personal data such as sexual activity, immigration status, race, facial expressions, weight, health and genetic information, and where a person drives.

Mozilla researchers found data was being gathered by sensors, microphones, cameras, and the phones and devices that drivers connect to their cars, as well as by car apps, company websites, dealerships, and vehicle telematics.

And to make matters even worse, certain car brands can then share or sell this data to third parties.

Car brands can also take much of this data and use it to develop inferences about a driver’s intelligence, abilities, characteristics, preferences, and more.

One of the top offenders was Volkswagen, which Mozilla found had collected demographic data (such as age and gender) and driving behaviours (like seatbelt and braking habits) for targeted marketing purposes.

Cariad/VW leak

Now a whistleblower reportedly first notified Der Spiegel and the European hacking association Chaos Computer Club of the Cariad/VW vulnerability.

The data leak also reportedly impacted electric vehicles (EVs) from other Volkswagen brands including Audi, Seat, and Skoda.

According to the Der Spiegel report, Cariad’s leak was reportedly because of improperly secured driver data housed in Amazon’s cloud storage service (AWS).

The data, which “could be linked to the names and contact details of the drivers,” reportedly included details about when EVs were switched on and off, as well as the emails, phone numbers, and addresses of drivers in some cases.

Even more concerning, it included the “precise” locations of about 460,000 vehicles. According to Der Spiegel the data was “accurate to within ten centimetres” for Volkswagen and Seat EVs, and within 10km (~6 miles) for Audi and Skoda models.

Cariad has since addressed the issue, and reportedly told Der Spiegel that VW customers have ”no need to take any action, as no sensitive information such as passwords or payment details are affected.”

VW troubles

It has been a busy period for the car giant.

Volkswagen recently entered into a joint venture with Rivian Automotive, as part of a huge funding investment for the EV startup.

Meanwhile the German car giant is also contending with large-scale strikes by 100,000 workers in Germany, as VW cuts wages, axes 35,000 jobs, and closes three factories in Germany.

The firm is struggling amid weak sales and slow expansion in the EV sector, as well as tough competition from Chinese EV manufacturers.