The location data of 800,000 of Volkswagen's electric cars has been exposed to hackers, reinforcing the alarming study by the Mozilla Foundation almost two years ago. Photo: Shutterstock

The location data of 800,000 of Volkswagen's electric cars has been exposed to hackers, reinforcing the alarming study by the Mozilla Foundation almost two years ago. Photo: Shutterstock

Volkswagen has exposed the data of 800,000 owners of electric vehicles via a flaw in Cariad, its software subsidiary. Discovered by the Chaos Computer Club in Germany, the leak, which included GPS information, raises alarm bells about data management in the automotive industry. The story comes two years after the Mozilla Foundation's catastrophic report on car data.

Just imagine: the smallest details of your life, meticulously recorded and accessible at the click of a button. Where you're going, how fast you're driving, your private conversations, even your state of health or sexual practices - all potentially available not only to car manufacturers, but also to hackers. This is the nightmare scenario highlighted by the recent data breach at the Volkswagen Group (VW, Audi, Skoda and Seat).

GPS data, contact information, and potentially much more—all of it is now potentially in the hands of malicious actors. This scandal is a stark reminder of the warnings issued by the Mozilla Foundation in 2023: modern cars have become veritable "surveillance machines on wheels.”

Four out of five brands sell your data

In 2023, Mozilla published a damning report on the "nightmarish" privacy practices of the car industry. The Volkswagen Group, despite adhering to the Alliance for Automotive Innovation's consumer protection principles of data minimisation, transparency and choice, had failed to live up to these principles. The Mozilla study found that 25 car brands were collecting more data than necessary and 84% were sharing or selling driver data.

Worse still, 68% of the brands had suffered hacks, security incidents or data leaks in the previous three years.

The Volkswagen data breach, which exposed the personal information of 800,000 electric car owners, mainly in Germany, confirmed these fears. Caused by a misconfiguration of systems at Cariad, Volkswagen's software subsidiary, the breach allowed public access to sensitive data stored on Amazon Cloud for months. The compromised data included precise GPS information, allowing detailed movement profiles of vehicles and their owners to be created. What is particularly worrying is that the breach affected not only ordinary citizens, but also high-ranking figures, including politicians, business leaders and law enforcement officers.

BMW, Kia, Mercedes-Benz and Jeep already under attack

The Chaos Computer Club (CCC), a group of German hackers, discovered the flaw and alerted Volkswagen, enabling the company to fix the problem before it could be exploited maliciously. This incident adds to a long list of security scandals in the automotive industry. Security researchers have demonstrated vulnerabilities in systems at BMW and Kia, while Mercedes-Benz displayed a compromised internal chat system. The 2015 Jeep hack, in which IT specialists could take control of a Jeep via its cellular module, remains an emblematic example of the vulnerability of connected cars.

The Volkswagen data breach is a wake-up call for the automotive industry. It highlights the urgent need for robust cyber security measures to protect consumer data. It is imperative that car manufacturers prioritise data privacy and security, and that consumers demand greater transparency and control over their data. The future of the car is connected, but it must not be at the expense of privacy. And perhaps European or national regulators in Europe would be wise to take up these practices.

This article was originally published in 

Related articles