A data leak exposed the location data of approximately 800,000 Volkswagen (VW) electric vehicles (EVs) for several months, impacting vehicles from VW, Audi, Seat, and Skoda, as reported by Der Spiegel.
Data leak exposes location of 800,000 Volkswagen EVs
The incident revealed real-time GPS locations of affected vehicles, allowing observers to see if cars were parked at home, on the street, or in more sensitive locations, according to Der Spiegel. The leak originated from a VW subsidiary, Cariad, which collects data to enable features like car preheating and battery monitoring via the VW app.
Before the vulnerability was closed, several terabytes of data linked to around 800,000 EVs were reportedly exposed on Amazon’s cloud storage system. Der Spiegel stated that accessing this unprotected data would not have posed a significant challenge to intelligence agencies, competitive firms, criminals, or even “bored teenagers.”
The potential implications of this data exposure are serious. Much of the vehicle data could be linked to personal information such as names, email addresses, home addresses, and phone numbers of car owners. According to the report, precise location data for 460,000 vehicles detailed the timing and locations of their parking and operation.
Apple may collect your photo data by default
Response from Volkswagen and affected individuals
Following the revelation, VW’s Cariad stated it only collects pseudonymized data to improve charging behavior and software. They insisted that “no sensitive information such as passwords or payment details are affected,” and added that users can deactivate online functions within their vehicles.
The vulnerability became known after a whistleblower notified both Der Spiegel and the Chaos Computer Club (CCC), who then investigated the extent of the breach. Politician Nadja Weippert expressed shock upon discovering her car’s data was stored unencrypted, emphasizing the need for VW to improve data security.
Markus Grübel, another politician affected by the leak, described the situation as “annoying and embarrassing,” stating it undermines confidence in the German automotive industry’s IT capabilities concerning privacy and security.
Der Spiegel outlined the potential for this data to be exploited by foreign intelligence services to track individuals of interest or for use in blackmail. It suggested that data indicating regular visits to certain locations, such as brothels or hospitals, could facilitate malicious schemes.
The CCC, upon discovering the vulnerability, contacted Cariad and VW Group, allowing for quick action to remediate the issue. The team praised Cariad’s prompt response to their alert, closing the vulnerability once it was reported.
The exposed data included detailed vehicle movements, providing a comprehensive insight into the daily habits of drivers. It allowed for tracking of when a car was turned on or off and where it had been, presenting significant privacy concerns for many owners.
Broader impacts on automotive data privacy
The data leak highlights the broader issues of data collection practices by automakers, which can include detailed tracking and profiling of vehicle users. Research indicates that modern vehicles often collect more data than necessary, with a 2023 Mozilla Foundation survey revealing that 68% of examined brands had previously experienced security incidents or data breaches.
Other manufacturers have also faced security vulnerabilities related to data collection. In January 2023, a group of hackers successfully accessed user accounts at BMW and Mercedes-Benz, while a previous incident known as the “Jeep hack” demonstrated vulnerabilities in vehicle control systems.
The legal landscape surrounding automotive data is shifting, with the EU’s new Data Act set to grant car owners increased control over their vehicle data starting in September 2025.
Featured image credit: Erik Mclean/Unsplash
