A massive data leak at software company Cariad, a Volkswagen subsidiary, reportedly left the personal data, including geolocation data, of some 800,000 EV owners online and accessible for months. A major blunder from an automaker already in crisis.
The leak involved electric vehicles from VW, Audi, Seat, and Skoda owners in Germany, Europe, and other parts of the world, reported Germany’s Spiegel magazine on Friday. Data up for anyone to glimpse online included contact info and movement data, making it possible to see when a car was parked at home, cruising down the autobahn, or “outside a brothel,” Spiegel writes.
The sensitive information was left exposed on an unprotected and misconfigured Amazon cloud storage system for months – the problem has now been patched. The breach was signaled by the hacker association Chaos Computer Club, which was tipped off by an anonymous hacker. While Volkswagen subsidiary had left the door wide open for anyone to access the data for months on end, apparently, there is no evidence of anyone doing that. Which is a good thing, because a reasonably tech-savvy person could access months of your whereabouts and connect into your personal credentials via Volkswagen’s online services.
In some 466,000 of the 800,000 vehicles involved, location data was extremely precise so that anyone could track the driver’s daily routine. Spiegel reported that the list of owners includes German politicians, entrepreneurs, the entire EV fleet driven by Hamburg police, and even suspected intelligence service employees – so while nothing happened, it seriously could have been a lot worse.
After the Chaos Computer Club tipped off Volkswagen on November 26, it also reached out to Germany’s Federal Ministry of the Interior and the state police, which then in turn gave Volkswagen and Cariad 30 days to rectify the situation before going public.
Cariad responded to Spiegel saying that no sensitive data was exposed, adding that customers “don’t need to take any action, as no sensitive information like passwords or payment data is affected.”
Still, people aren’t happy, especially the German politicians whose names were included on the list, with Spiegel reviewing the data and showing it to a few affected high-level individuals – “shocking,” “annoying,” and “embarrassing” are some of the comments from those involved.
Volkswagen has argued that accessing individual data was a more complicated process than it seems. “Only by bypassing several security mechanisms, which required a high level of expertise and a considerable investment of time, and by combining different data sets, was the CCC able to draw conclusions about individual customer data from certain users,” the company said in a statement.
Of course, Volkswagen isn’t the only automaker to fumble their software, with Toyota last year admitting to a major data breach involving more than 2 million owners in Japan.
Author: Jennifer Mossalgue
Source: Electrek
