**Massive Data Breach at Volkswagen’s Software Subsidiary Cariad Exposes Personal Information of 800,000 Electric Vehicle Owners**
A major data breach has occurred at Cariad, the software subsidiary of Volkswagen, resulting in the exposure of personal data belonging to approximately 800,000 electric vehicle owners. For the past few months, their driving data, including parking locations, driving routes, and battery status, has been exposed online.
According to a report by the German magazine Der Spiegel on December 27, the leaked data includes detailed information about the whereabouts of these electric vehicles, revealing daily driving habits such as locations visited and charging schedules since last summer. This breach means that anyone can access the data online and track when a vehicle was parked at home, traveling on the highway, or stopped in front of a specific address.
This data breach incident involves Volkswagen, Audi, Seat, and Skoda electric vehicles in Germany, Europe, and other regions. Out of the affected vehicles, 300,000 are located in Germany, although there is no information indicating if any vehicles are in North America.
Der Spiegel’s investigation following the exploitation of this security vulnerability yielded shocking results. They discovered precise location information for 460,000 vehicles in the company’s cloud database, including 35 electric cars from the Hamburg police fleet, vehicles of politicians, business leaders, intelligence agency employees, and vehicles from the Ramstein Air Base of the United States Air Force.
The magazine reported tracking the daily movements of two German politicians with astonishing accuracy. One, a member of the German Defense Committee, frequented his father’s nursing home and military base according to the GPS data from his car. The other politician’s route included traveling from her workplace at the city hall to the therapist’s office regularly.
The security flaw had been present for several months before the Chaos Computer Club, Europe’s largest hacker association, received a tip from an anonymous hacker and brought attention to it.
The Chaos Computer Club notified Volkswagen about the security vulnerability on November 26, 2024, and alerted the German Federal Ministry of the Interior and state police. The hacker group gave Volkswagen and its subsidiary Cariad a 30-day window to address the issue before making it public through the media.
The data leak was caused by Cariad’s development of a connected car application that allows owners to remotely start vehicles, manage in-car air conditioning, and check battery status. The application also collects GPS information and driving data, sending it back to the car manufacturer. However, the use of low-level cloud security technologies by the company left this data unprotected.
Following the exposure of the data breach, Cariad stated that there is currently no evidence besides the Chaos Computer Club that any third party has accessed and misused the data. Additionally, this information has not been combined with other internal company data, preventing its connection to vehicle and owner personal information. The security vulnerability has been addressed, and no further action is required from the owners.