Security Breach Exposes Data of 800,000 Volkswagen EVs, Raising Privacy Concerns

In a significant breach of data security, approximately 800,000 electric vehicles (EVs) produced by Volkswagen have been compromised, enabling unauthorized access to sensitive vehicle information by hackers. This lapse reportedly stems from vulnerabilities in the systems of Cariad, Volkswagen’s software subsidiary, which has faced criticism in the past for delays in its EV product launches and software development.

As reported by German news outlet Der Spiegel, a whistleblower revealed the security oversight to both Der Spiegel and the hacker organization Chaos Computer Club. Fortunately, it appears that the exposed data has not yet been exploited for malicious activities.

Among the affected vehicles, around 300,000 are registered in Germany, with additional vehicles impacted across several European nations, including the United Kingdom.

While Cariad has since addressed the security flaw, Der Spiegel highlights the potential for hackers to create intricate profiles of Volkswagen ID.3 and ID.4 owners based on their recorded daily movements and vehicle status.

"In the case of approximately half of the affected vehicles, especially the ID.3 and ID.4 models, the data is quite granular," the publication noted in a translated excerpt. "It details when a car was started and when and where it was turned off. Most of this information dates back to 2024, with some records extending further back."

This wealth of information could be particularly appealing to criminal elements or intelligence agencies, providing insights into the whereabouts of vehicles near sensitive locations, such as intelligence service buildings or military bases, where patterns of movement might be discerned.

Moreover, the publication warns that the compromised data could enable cybercriminals to access owners’ online addresses, facilitating sophisticated phishing schemes masquerading as legitimate communications from Volkswagen to extract sensitive financial information.

Intriguingly, the data revealed instances of vehicle usage linked to brothels, raising concerns about potential blackmail threats against owners. The location accuracy for Volkswagen and Seat models was reportedly precise to within 10 centimeters, whereas Audi and Skoda models were found to have a less accurate traceability of about 10 kilometers.

When questioned about its data collection practices, Cariad defended its approach, stating it "pseudonymizes data regarding customer charging behaviors and habits." The firm asserted that this information is not compiled in a manner that could lead to the identification of individual users or the establishment of movement profiles.

Cariad characterized the security breach as a "misconfiguration," assuring that, to the best of their knowledge, the only entity to have accessed the system was the Chaos Computer Club, with no evidence of data misuse by external parties.

This incident follows previous reports from German trade publication Manager Magazin and later Reuters, indicating that Cariad plans to cut approximately 2,000 jobs between 2024 and the end of 2025 as part of ongoing restructuring efforts.

Source:www.carexpert.com.au