Electric cars have jeopardized drivers’ private data: how it happened

30 December 18:46

For several months, data on the location of about 800,000 Volkswagen electric vehicles have been made public. According to DER SPIEGEL, the leak was caused by an error at VW subsidiary Cariad, Komersant ukrainskyi reports.

It is reported that in many cases, this data can be linked to the names and contact information of drivers by comparing it with other network data and thus used to create travel profiles.

The data remained unprotected for several months in Amazon’s cloud storage and the exact location of approximately 460,000 vehicles was available. Most of the data dates back to 2024, but some of it is even older. The information about the owners of VW ID.3 and ID.4 models was particularly detailed. Politicians, businessmen, Hamburg police, and possibly intelligence officers were also affected.

The leak was probably caused by an error at VW’s subsidiary Cariad. Volkswagen Group CEO Oliver Blume recently initiated the closure of this software subsidiary, and one of the company’s executives recently called Cariad “the biggest bomb this company has ever had.”

German journalist Arno Frank wrote more about the Volkswagen data leak in his column.

In his article “Der Spitzel in meiner Garage” (The Spy in my Garage), he says that “modern cars are giant data collection vacuum cleaners”. Countless sensors constantly record who is driving where, at what speed, where they are parked, and for how long. These huge amounts of data are stored in the cloud. This is extremely sensitive data, which, in the worst case scenario, can be used to derive personalized profiles of drivers’ movements.

What we know about the Volkswagen data breach and who was affected

This is exactly what happened to VW the other day. Due to a software failure at VW’s Cariad subsidiary, several terabytes of electric car data were so unprotected in Amazon’s cloud storage system that even “bored teenagers” could access it, not to mention spies, fraudsters, and blackmailers.

For example, fraudsters could have used this data to create plausible phishing emails impersonating Volkswagen, a supplier or a subsidiary, for example, to request credit card or other payment information.

“Everything was in the public domain, you just had to know where to look. It took no more than a few freely available computer programs that are standard tools for criminal hackers and IT security experts alike,” Arnaud Frank writes.

But, according to the author of the column, instead of talking about a security gap (which has already been closed), the company prefers to talk about “misconfiguration.”

Nadja Weippert, a member of the Lower Saxony state parliament from the Green Party, has already become one of the victims of the data leak. The politician’s car was actually “spying” on her, collecting private data and transmitting it to the equipment manufacturer. In this way, it was possible to learn about the sports club, favorite bakery, and physiotherapist’s office that Weippert visited.

Why the company collected data on car owners

But why does Cariad collect all this data in the first place? The company told SPIEGEL that the data on customers’ charging behavior and habits is used to improve the batteries and related software. Cariad emphasized that the data is never aggregated within the group in such a way that it can be used to draw conclusions about individuals or create travel profiles.

What modern cars “spy” on their owners

The report also says that the problem goes far beyond one manufacturer and affects the entire industry, in which software has long been more important than hardware.

Thus, a random sample of four types of BMW, Renault, and Mercedes cars showed that the B-Class, for example, transmits its current location to Mercedes every two minutes. In addition, the system reports on mileage, fuel level, tire pressure, and the number of seat belts fastened – all of which provides information that allows you to draw conclusions about your driving style. And the BMW i3 under test transmitted detailed data on the battery status and the location of 16 previously used charging stations after shutting down.

What other car manufacturers have had problems with private data

VW is far from the only automaker with significant security concerns about data breaches. In January 2023, a team led by 23-year-old hacker Sam Curry from Omaha, Nebraska, demonstrated how they were able to access any BMW employee and dealer accounts and view sales documents. They also broke into Mercedes-Benz’s corporate chat room.

The security gaps discovered by hackers at KIA were even more serious. They were able to remotely unlock and even start the South Korean manufacturer’s cars. Luckily, Curry and his team were so-called white hackers who acted in the same way as Chaos Computer Club in the case of Cariad – they informed the affected companies in advance, and the vulnerabilities were closed.

Мандровська Олександра
Editor