A major data security lapse by Volkswagen's software subsidiary Cariad left sensitive location data of approximately 800,000 electric vehicles exposed on an unsecured Amazon cloud storage server for several months.
The breach affected vehicles across multiple VW Group brands including Volkswagen, Audi, SEAT, and Skoda, with over half of the exposed vehicles actively sharing precise GPS coordinates. The data vulnerability linked vehicle locations with owners' personal information, enabling detailed tracking of individuals' movements.
German news outlet Spiegel demonstrated the severity of the breach by successfully tracking two German politicians - including a Defense Committee member's visits to military facilities and a local mayor's daily routes between work and medical appointments.
The security flaw was discovered by a whistleblower who alerted both Spiegel and the Chaos Computer Club (CCC), a European ethical hacking organization. After CCC confirmed the vulnerability on November 26, they notified Cariad and provided a 30-day window to secure the data.
The geographical scope of the breach primarily impacted Germany with 300,000 affected vehicles, while tens of thousands of EVs were also exposed across other European nations including Norway, Sweden, the UK, Netherlands, France, Belgium, Denmark, Switzerland, and Austria.
Cariad acknowledged that the data exposure resulted from misconfigured IT applications and responded swiftly to address the security gap. CCC spokesperson Linus Neumann commended the company's rapid technical response to resolve the issue.
This incident highlights growing concerns around data privacy in modern vehicles, following recent research showing widespread over-collection of customer data across the automotive industry.