For several months, the personal data and precise locations of 800,000 electric vehicles (EVs) from Volkswagen and its associated brands were publicly accessible online due to a significant data leak. This issue, linked to software developed by Volkswagen subsidiary Cariad, came to light after the German news outlet Der Spiegel reported on it.
The exposed data included movement information for about 460,000 vehicles with startling accuracy—up to 10 centimeters for Volkswagen and Seat models and within 10 kilometers for Audi and Skoda cars. Some of the data, stored on Amazon’s cloud services, also revealed driver details such as emails, phone numbers, and addresses.
A whistleblower alerted Der Spiegel and the Chaos Computer Club (CCC), a European hacking group, about the vulnerability. CCC identified the breach on November 26 and promptly informed Cariad, which has since resolved the issue. According to Volkswagen, the data was accessible only through a complex and multi-layered process requiring advanced hacking skills. The company emphasized that no sensitive financial details, such as payment information or passwords, were compromised.
Volkswagen assured customers that the risk of malicious exploitation was minimal, noting that the CCC hackers accessed only pseudonymized data, which did not directly identify individual drivers. However, the incident highlights ongoing risks associated with modern vehicles’ extensive data collection and connectivity.
This event joins a growing list of security concerns involving internet-connected cars, underlining the need for stricter safeguards as vehicles increasingly integrate digital services. Mozilla has previously called connected cars a “privacy nightmare,” and incidents like this serve as a reminder of the vulnerabilities inherent in this technology.
Volkswagen is investigating the leak and evaluating further actions. Cariad has stated that affected customers need not take additional steps, as the issue has been addressed.
Volkswagen’s data leak reveals a concerning trend in modern car ownership: automakers increasingly treat vehicles as tools for gathering personal data. Even when customers avoid connected services, manufacturers often collect information under unclear terms and conditions. This incident shows how critical it is to implement stricter regulations to safeguard consumer privacy. Without strong oversight, similar breaches will become more common.
