VW software subsidiary exposes data of 800,000 electric vehicles

A major data breach at Volkswagen's software subsidiary Cariad has exposed sensitive information from approximately 800,000 electric vehicles, including detailed GPS locations and personal data of vehicle owners, according to findings shared by security researchers.

According to Der Spiegel, the data leak occurred when Cariad, VW's automotive software division with 6,000 employees as of January 2024, inadvertently left a significant amount of customer data exposed in an Amazon cloud storage system. The breach affected vehicles across multiple Volkswagen Group brands, including VW, Audi, Seat, and Skoda.

The exposed data included precise GPS coordinates accurate to within 10 centimeters for VW and Seat models, showing exactly where vehicles were parked. For about 460,000 of the affected vehicles, researchers could link location data with owners' names and contact information. The data leak persisted for several months before being discovered.

Nadja Weippert, a Green Party representative in the Lower Saxony state parliament and data protection spokesperson, discovered her VW ID.3's data had been compromised after purchasing the vehicle in September. "I am shocked," Weippert told Der Spiegel when presented with her vehicle's location history. "It cannot be that my data is stored unencrypted in the Amazon cloud and then not even adequately protected."

The breach exposed sensitive patterns about vehicle owners' lives. For instance, Weippert's car data revealed regular visits to city hall, the state parliament, her sports club, favorite bakery, and physiotherapist. The data even tracked a two-day trip she took to a party conference in Oldenburg.

Similar detailed location histories were exposed for other prominent individuals, including Markus Grübel, a member of the German Parliament who serves on the Defense Committee. His vehicle's location data showed visits to a senior care facility where his elderly father resides and to military facilities relevant to his government role.

The security vulnerability was identified by a whistleblower who shared the findings with the Chaos Computer Club (CCC) and Der Spiegel. According to CCC spokesperson Linus Neumann, accessing the exposed data required minimal technical expertise. The vulnerability stemmed from misconfigured access credentials that were inadequately protected - a situation Neumann likened to "a huge keyring hidden under a much too small doormat."

Beyond privacy concerns for individuals, the data breach posed potential security risks, particularly for vehicles tracked near sensitive locations like intelligence agency buildings or military installations. The detailed location histories could have value for foreign intelligence services or criminals seeking to establish patterns of behavior.

The breach affected vehicles across multiple European countries, with the highest numbers in:

• Germany: 300,000 vehicles
• Norway: 80,000 vehicles
• Sweden: 68,000 vehicles
• United Kingdom: 63,000 vehicles
• Netherlands: 61,000 vehicles
• France: 53,000 vehicles
• Belgium: 38,000 vehicles
• Denmark: 35,000 vehicles
• Switzerland: 22,000 vehicles
• Austria: 20,000 vehicles

When notified about the security flaw, Cariad responded promptly to close the vulnerability. The company acknowledged a "misconfiguration" led to the data exposure but maintained that combining different data sets to identify individuals would have "required a high level of expertise and considerable time investment."

The incident highlights broader concerns about data collection practices in modern vehicles. A 2023 Mozilla Foundation study of 25 car brands found widespread privacy issues, with 76% of manufacturers indicating they could sell collected data. The study noted that 68% of brands had experienced security incidents in the previous three years.

For context, Cariad was established in 2020 as Volkswagen's dedicated software division, aiming to develop a unified software platform for all Volkswagen Group brands. However, the unit has faced challenges, including a reported €400 million operating loss in 2022 and recent strategic shifts. In June 2024, Volkswagen announced plans to transition to technology from Rivian for its future software platform.

The incident comes at a critical time as regulators increasingly scrutinize automotive data practices. The European Union's Data Act, which becomes enforceable in September 2025, will require manufacturers to provide vehicle owners with greater control over their data. This regulation aims to increase transparency around data collection while maintaining security standards.

Industry experts note that modern vehicles can contain hundreds of sensors collecting vast amounts of data. An ADAC study found that Mercedes B-Class vehicles transmit their location every two minutes, along with data about fuel levels, tire pressure, and safety system activations. Similar detailed data collection was observed in BMW and Renault models.

According to cybersecurity researchers, the automotive industry faces unique challenges in securing the growing volume of collected data. Previous incidents have included remote vehicle access vulnerabilities, such as the 2015 Jeep hack that led to the recall of 1.4 million vehicles.

Cariad has stated that affected customers require "no action" since no passwords or payment information were compromised. However, the company noted that vehicle owners can deactivate online functions if they wish to limit data collection.

For the Volkswagen Group, which has struggled with software development challenges, the data breach represents another setback in its digital transformation efforts. The incident underscores the complex balance between gathering data to improve vehicle systems and maintaining robust security measures to protect user privacy.