Volkswagen’s Cariad Exposes Data of 800,000 Electric Cars and Owners

In a significant breach of privacy, Volkswagen’s software unit, Cariad, has exposed sensitive data from approximately 800,000 electric vehicles, raising serious concerns about the security of customer information. The exposed data, which can potentially be linked to customers’ names and precise vehicle locations, was left unprotected in Amazon cloud storage for several months, making it accessible to anyone with minimal technical skills.

The exposed databases contained information pertaining to Volkswagen, Audi, Skoda, and Seat vehicles. Alarmingly, some of the geo-location data was accurate within mere centimeters, creating significant privacy risks for those affected. The breach was traced back to incorrect configurations in two IT applications, as explained by a representative from Cariad to BleepingComputer.

The Chaos Computer Club (CCC), an influential organization of ethical hackers in Europe, notified Cariad about the vulnerability on November 26. The CCC, which has over three decades of experience in promoting security and privacy, learned of the exposure from a whistleblower. After testing the insecure access, they informed Cariad and Volkswagen, providing detailed technical information about the issue. According to reports, the CCC hackers were able to access the data by overcoming several security mechanisms that required a considerable amount of time and technical expertise.

Of the nearly 800,000 vehicles impacted, the CCC discovered geo-location data for 460,000 cars. In some instances, the data revealed the exact location of vehicles, including those belonging to Hamburg police and suspected intelligence service employees. Noteworthy is the discovery of sensitive information related to two German politicians, Nadja Weippert and Bundestag member Markus Grübel, who were identifiable through publicly available software tools used by professionals to search for exposed assets.

A team of IT experts from German publication Spiegel utilized these tools to uncover a memory dump from an internal Cariad application. This dump contained access keys to an Amazon cloud storage instance where the sensitive data of Volkswagen Group customers was stored. The results of their findings signify a substantial breach of privacy, prompting questions regarding the security practices of major automotive software companies.

Most of the compromised vehicles were based in Germany, with significant quantities also found in Norway, Sweden, the United Kingdom, and several other European countries. Following the notification from the CCC, Cariad’s security team reportedly acted swiftly, ensuring that access was restricted on the same day. The CCC has confirmed that Cariad’s technical response was efficient and thorough.

According to Cariad, there is currently no evidence indicating that other parties, besides the CCC hackers, accessed the exposed data. They emphasized that the data, while sensitive, was pseudonymized for privacy purposes, requiring additional effort to link specific information to individual users. The company also reiterated that the CCC hackers only accessed collected data, without any means to access the vehicles themselves.

Despite the significant privacy flub, Cariad maintains that the data collected from vehicles gives them insights into the development and improvement of digital features for customers. They stated that the processing of personal data is crucial for enhancing digital experiences, such as optimizing charging behaviors and improving future battery technologies.

While Cariad asserts compliance with legal regulations and strong data protection practices, including the pseudonymization and aggregation of data for specific purposes, the incident raises ethical considerations about the extent to which automotive companies should collect and store personal information from their customers. Educating consumers about these risks has never been more pertinent, as many are left contemplating the implications of owning internet-connected vehicles.

This incident serves as a stark reminder of the vulnerability associated with digital data and electronic vehicles, pressing the automotive industry to reevaluate its data privacy standards and the trust placed in digital technologies. As the public demands robust safeguards for personal information, the response to this breach will likely drive conversations about consumer rights and data protection protocols in the automotive industry moving forward.