Volkswagen Group has collected movement data from hundreds of thousands of VW, Audi, Skoda, and Seat electric vehicles. The data was also left accessible and unprotected on the internet, exposing politicians, business leaders, police, and intelligence agents, according to a report by the Chaos Computer Club (CCC).
German news outlet SPIEGEL first reported that movement data from 800,000 electric cars and owners' contact information were left unprotected online.
According to CCC, Europe's largest association of hackers, the private data was left exposed by Volkswagen’s software company, Cariad. Outsiders could check when the car’s ignition was switched off, and the exact GPS location revealed when the car was parked at home, at work, or elsewhere.
The data was stored for long periods of time and included information about vehicle owners.
“The fact that it was poorly protected on top of that is just the icing on the cake,” said Linus Neumann, spokesman for the CCC.
Researchers found data belonging to fleet management companies, board members and supervisory board members of DAX (Germany’s stock market index of 40 major companies) companies, and various police authorities in Europe.
“For example, movement data from 35 electric patrol cars of the Hamburg police were recorded and stored on the VW platform for third parties to view,” CCC claims.
“Sensitive data on intelligence and military activities were also collected: Among other things, data sets were found from the parking garage of the Federal Intelligence Service (BND) and from the United States Air Force military airfield in Ramstein.”
According to SPIEGEL, Cariad left its Amazon cloud storage system with several terabytes of data on around 800,000 electric cars, “largely unprotected and accessible for months.” Precise location data was available for 460,000 vehicles and could be linked to the names and contact details of the owners. A whistleblower shared information about the leak with CCC.
While Cariad claimed that it “pseudonymized” data on customers' charging behavior and habits and never combined it with other data, SPIEGEL was able to track one politician parking cars near a sports club, favorite bakery, or physiotherapist's practice.
Following responsible disclosure, Cariad closed the exposed instances and claimed that no financial or personally identifiable information was leaked. The company assured that no third parties, except the CCC, had accessed the systems and there was no evidence of any misuse.
Your email address will not be published. Required fields are markedmarked