For several months, the location data of nearly 800,000 electric Volkswagen vehicles was accessible online due to a significant data leak, according to a report from the German magazine Der Spiegel. The leak, which originated from software within the vehicles, could have allowed malicious actors to track drivers’ precise movements, as noted by Electrek.
A whistleblower informed Der Spiegel and the European hacking group Chaos Computer Club about the vulnerability, which also affected electric vehicles (EVs) from other Volkswagen brands, including Audi, Seat, and Skoda.
The leak was traced back to Cariad, Volkswagen’s software subsidiary, which stored driver data on Amazon’s cloud platform. This data included not only the vehicles’ activation and deactivation times but also sensitive information like names, contact details, and in some cases, addresses. The most concerning aspect was the precise location of around 460,000 vehicles—Volkswagen and Seat models had location data accurate to within 10 cm (~4 inches), while Audi and Skoda models had location data accurate to within 10 km (~6 miles).
While Cariad has since addressed the issue, stating that customers don’t need to take any action since no sensitive information like passwords or payment details was exposed, the leak serves as a stark reminder of the vast amount of personal data modern vehicles collect. The data privacy risks associated with these technologies have been called a “privacy nightmare” by organizations like Mozilla.