Location data for 800,000 cars exposed online for months

By Trevor Mogg Published December 30, 2024

A data leak led to around 800,000 Volkswagen (VW) electric vehicles (EVs) having their location exposed online for several months, according to a report by German news magazine Der Spiegel.

The global incident impacted owners of EVs from VW, Audi, Seat, and Skoda, with real-time location showing for the affected vehicles, whether they were at home, driving along the street, or, in the words of Der Spiegel, parked “in front of the brothel.”

VW collects data — including GPS coordinates — after a car owner sets up the VW app, which allows them to do things like preheat the car, monitor the battery charge level, and check the remaining range. This builds a data set that can then be used to create a detailed profile of someone’s daily movements, Der Spiegel said.

That may already be news to some owners, but the really alarming element of this story is that due to an error, the data was publicly accessible. In fact, several terabytes of information linked to around 800,000 EVs remained exposed on Amazon’s cloud storage system for several months.

Before the vulnerability was closed, Der Spiegel said it was able to reproduce it, claiming that “accessing the system would not have been a significant challenge for intelligence services, spying VW competitors, criminals, or even bored teenagers. Everything was out in the open, you just had to know where to look.”

The news site said that much of the vehicle data could be linked to the names and contact details of the owners, and in some cases included email addresses, home addresses, and cell phone numbers.

The error reportedly occurred because a VW subsidiary called Cariad, which created a software platform for the auto group’s EVs, failed to notice an error that entered the system last summer. In fact, the breach only came to light after a whistleblower alerted Der Spiegel and also the Chaos Computer Club.

The news report lists a number of scenarios where the data — if it fell into the wrong hands — could be utilized for nefarious purposes. Foreign intelligence operatives, for example, could track politicians or other targets, while blackmailers could go after individuals found to be visiting places that they’d rather keep secret.

Asked by Der Spiegel about the collection of driver information, Cariad said that it collects pseudonymized data on customers’ charging behavior and habits, using it to improve batteries and the associated software.

It added that following the data exposure, customers are not required to take any action, insisting that “no sensitive information such as passwords or payment details are affected.” It added that owners can choose whether they use VW products and services that require the processing of personal data, as all vehicles with online functions offer a deactivation option.

VW has yet to comment publicly on the incident. Digital Trends has contacted the automaker and will update this article when we hear back.

The incident highlights the ongoing issue of data collection by automakers, which has been made possible by advances in connectivity and sensor technology in modern vehicles. “Cars really seem to have flown under the privacy radar,” the research lead of a study on the matter said last year.