VW Data Breach Exposed Personal Information Of 15 Million Owners

Volkswagen’s recent data breach, affecting sensitive information from over 15 million vehicles, was traced back to inadequate security measures.

Revealed by security analyst Flüpke at the Chaos Computer Club in late December, the breach revealed significant lapses in data protection practices, including potential violations of GDPR regulations and the company’s own terms of service.

The leaked data included a broad array of user and vehicle information, such as names, email addresses, birthdates, and physical addresses. On the vehicle side, VINs, model details, and full user IDs were accessible, while EV-specific data like odometer readings, battery temperature, charging status, and warning light indicators were available.

Alarmingly, geolocation data with precision down to 10 centimeters was also compromised. Because of the breadth of data available, the breach exposed patterns such as workplace locations, shopping habits, school drop-offs, and even residences of law enforcement personnel.

Flüpke detailed how he uncovered the vulnerability by using specific coding tools to analyze VW's systems. The investigation revealed that a heap dump, an internal Java Virtual Machine (JVM) diagnostic tool, was not password-protected. This allowed access to AWS credentials stored in plain text, effectively opening the backdoor as wide as possible to sensitive data.

Volkswagen claims the breach involved a “complex multilayered process,” but Flüpke countered the issue was compounded by weak token security. A JWT (JSON Web Token) could be generated using arbitrary user IDs, enabling attackers to authenticate as legitimate users and access personal data via VW’s API. I have no idea how to do any of this, but it sounds like it would be relatively easy for those who know the right keystrokes.

Although the system didn’t allow for vehicle control, it did provide unrestricted access to sensitive customer information. Following the breach, Volkswagen reportedly invalidated the compromised AWS credentials.

Volkswagen has been criticized for an over-collection of data, which goes far beyond what was necessary for vehicle safety analysis—and VW isn't the first automaker to be accused of such. For instance, VW retains detailed location data for evaluating battery performance which is non-compliant with GDPR, which mandates data minimization and encryption for sensitive information.

Drivers are often unaware of the vast digital trail their vehicles leave behind. Automakers need clearer policies and consumer opt-out options. The VW incident, along with Tesla's role in the Las Vegas investigation should be a wake-up call regarding the surveillance potential embedded in modern vehicles.

With over 75% of car brands admitting they can share or sell driver data, the lack of robust regulatory oversight creates significant risks for consumers.

Become an AutoGuide insider. Get the latest from the automotive world first by subscribing to our newsletter here.