A significant data breach at Volkswagen’s software subsidiary, Cariad, has exposed the location data and personal information of approximately 800,000 electric vehicles.
According to a report by Der Spiegel, in collaboration with the Chaos Computer Club (CCC), several terabytes of sensitive data were stored unprotected on an Amazon Web Services (AWS) cloud storage facility. The data, which includes precise location details, battery charge levels, and vehicle status, was accessible online for several months before being discovered by a whistleblower.
The leak affected several Volkswagen brands, with around 460,000 vehicles’ precise location data viewable. In addition, information such as vehicle ownership and contact details of drivers or fleet managers was also exposed.
The data from these vehicles, including inspection status and whether the car was on or off, was stored on the cloud service, where even specific vehicle positions were accessible down to an accuracy of 10 centimeters in some cases.
Countries such as Germany, Norway, Sweden, and the UK were the most affected by the breach, with Germany seeing the highest number of exposed vehicles at 300,000.
The vulnerability was identified through systematic investigation, and although Cariad responded quickly to close the gap, the company has downplayed the incident, referring to it as a “misconfiguration” rather than a security flaw. “There were no indications of misuse of data by third parties,” a Cariad spokesperson stated. The company explained that the data was primarily collected for the purpose of analyzing customer charging behavior to improve batteries and software.
While Cariad has assured the public that the issue has been resolved, the breach raises concerns over data privacy, especially given the detailed movement profiles that were potentially accessible for individuals, including politicians and business leaders.