A glaring security vulnerability in Volkswagen’s software subsidiary, Cariad, has reportedly exposed sensitive data from 800,000 electric vehicles. The breach involved an unsecured Amazon cloud storage folder and has sparked serious concerns about data privacy and security within the automotive industry.
The issue was first brought to light by a whistleblower and confirmed by the European ethical hacking group Chaos Computer Club (CCC). The organization discovered that a misconfigured IT application in Cariad’s system was exposing critical information. Notably, over 460,000 vehicles were actively transmitting precise GPS data every time the car was turned off, creating detailed geolocation trails.
The situation came under scrutiny when Nadja Weippert, Mayor of Tostedt in Lower Saxony, noticed unusual data collection patterns while using the remote functionality of her Volkswagen ID.3. Her findings highlighted how the breach could compromise personal privacy on a massive scale.
On November 26, CCC notified Cariad of the issue, granting the company a 30-day window to address it. To Cariad’s credit, the technical team responded within hours, thanking the CCC for their ethical disclosure. The quick action earned praise from CCC spokesperson Linus Neumann, who called the response “thorough and responsible.”
However, German publication Spiegel criticized Volkswagen, calling the incident “a disgrace,” particularly as the company faces a history of trust issues stemming from its 2015 emissions scandal.
The data breach primarily impacted drivers in Germany, with over 300,000 vehicles exposed. Other affected regions included Norway, Sweden, the UK, the Netherlands, France, Belgium, Denmark, Switzerland, and Austria. Affected brands under Volkswagen’s umbrella included Audi, SEAT, and Skoda. It remains unclear whether Porsche, CUPRA, or other subsidiaries were also compromised.
