- 800,000 VW Group models affected by non-compliance, 300,000 of them from Germany
- More than half shared precise GPS location data
- Volkswagen responded promptly and responsibly.
Cariad, a subsidiary of Volkswagen’s automotive software, allegedly left the sensitive data of 800,000 electric vehicles exposed in an unsecured Amazon cloud storage folder, reports claim.
The concern comes after Nadja Weippert, mayor of Tostedt, Lower Saxony, delved into the app she needed to download to use the remote functionality of her Volkswagen ID.3.
He found that it collected precise geolocation data every time the car was turned off, creating a detailed picture of where it had been.
VW collects customer data insecurely
The vulnerability was first discovered by a European ethical hacking organization, Chaos Computer Club (CCC), which was reported by a whistleblower. CCC confirmed the issue on November 26 and notified Cariad, giving the company 30 days to make the data inaccessible.
Cariad acknowledged that the issue was due to poor configurations in two IT applications, responded within hours and thanked the CCC for its work. CCC spokesperson Linus Neumann praised the VW software company (via Spiegeltranslated with Google Translate): “Cariad’s technical team responded quickly, exhaustively and responsibly.”
german publication Spiegel revealed that more than half of the vehicles (460,000) shared accurate GPS data. The majority of the 800,000 affected models were located in Germany (300,000), with Norway, Sweden, the United Kingdom, the Netherlands, France, Belgium, Denmark, Switzerland and Austria also home to tens of thousands of affected electric vehicles.
Since Volkswagen is the parent company of other popular European brands, Audi, SEAT and Skoda models were also affected. It is unclear whether CUPRA, Porsche and other VW Group subsidiaries were also affected.
Spiegel called the mistake an embarrassment and noted that Volkswagen is already lagging behind its rivals in the software space.
Despite VW’s unfortunate mistake almost a decade after the car giant was caught lying about the emissions of many of its diesel cars, it is not the only company collecting data from its customers. In September 2023, we covered an investigation by Mozilla that revealed that 25 major automakers were collecting more data than they needed.
As the boundaries between technology and cars get closer and closer, customers and researchers rightly raise more and more concerns about safety.
