Driver Data From Volkswagen Electric Vehicles Publicly Accessible for Months Before Resolved

The private data of approximately 800,000 EV owners was available for the public to access for months before Volkswagen remedied the issue, according to The Drive.

The information was first released by German news outlet Spiegel, which discovered owners of Audi, Seat, Škoda, and Volkswagen vehicles had their information accessible on the internet as a result of inadequate cloud security.

Volkswagen’s connected car app, developed by its subsidiary Cariad, enables the ability for remote vehicle startup, A/C control, to check the vehicle’s current charge level, and other capabilities. It also held data on drivers’ location and GPS activity.

Over the summer, the data was left unencrypted, leaving Cariad websites and subpages easy to access through guessing simple file extensions. One of these file extensions held a recent memory dump from an internal Cariad app, containing the login for an Amazon cloud storage facility that held data on vehicle owners.

300,000 of the vehicles were located in Germany, and vehicles in other European countries were also included. It hasn’t been shared how many vehicles in North America may have been impacted.

The data provided incredibly accurate info on where drivers had been. Volkswagen and Seat vehicles were able to pinpoint within 4 inches of a vehicle’s exact location. For Audi and Škoda cars, it was about 6 miles. There was also info on vehicle owners’ emails, addresses, and phone numbers.

Volkswagen Group was not even aware of the cyber threat until European hacker group Chaos Computer Club made them aware. Cariad has said that, besides CCC, no nefarious actors have obtained the data—but in the U.S., where auto repairers are facing data restrictions over concerns of cybersecurity, incidents like this underscore that automakers nonetheless have much work to do on protecting the data vehicles hold.