A data leak at Volkswagen software subsidiary Cariad exposed personal data, including location data, of hundreds of thousands of electric vehicle owners, according to a report from Der Spiegel.
The leak was discovered by an unnamed whistleblower, who shared the vulnerability with the Chaos Computer Club (a European hacker association) and Der Spiegel. The outlet was then able to test that the leak is real by tracking the cars of German politicians Nadja Weippert and Markus Grübel, who agreed to have their data accessed by reporters.
The leak affected roughly 800,000 Volkswagen, Audi, Seat, and Skoda electric cars, but for roughly 460,000 of them, including Volkswagen’s ID.3 and ID.4 models, the data was very detailed, and included locations where the car was switched on and off.
According to the report, accessing this data was fairly easy and did not require very complex hacking methods. The data was apparently stored in unprotected and unencrypted Amazon cloud storage.
Mashable Light Speed
Some of the people affected by the leak include German politicians, business leaders, and the Hamburg police.
Der Spiegel notified Cariad about the leak, which was subsequently patched. Fortunately, while the leak enabled basically anyone to track EV owners’ locations for months, there is no evidence of anyone having done that. Cariad told Der Spiegel that EV owners don’t need to take any steps to protect their data from prying eyes.
As for Volkswagen, the company claims that accessing the data was not as easy as it seemed, and that it required “a high level of expertise and a considerable investment of time.”
Still, this is a major embarrassment for the German automaker, which has barely recovered from the 2015 Dieselgate scandal, in which it was discovered that the company programmed some of its diesel engines to show lower emissions during laboratory testing than they would have in normal use. The new data leak probably won’t help Volkswagen’s EV sales, which haven’t been great in recent months.