Cyber Crime
Volkswagen Hit by Massive Cyberattack as Cariad Exposes Data from 800,000 Electric Vehicles

Volkswagen’s automotive software subsidiary, Cariad, faced a major data security lapse, exposing information from approximately 800,000 electric vehicles. This breach, which could link sensitive data to drivers’ identities, included precise vehicle geo-location details, potentially revealing the whereabouts of drivers down to a few centimeters.
Unsecured Cloud Storage and Potential Risks
The vulnerability stemmed from unprotected terabytes of customer data stored in Amazon’s cloud infrastructure. For months, the exposed databases were accessible to anyone with basic technical skills, enabling unauthorized tracking of vehicle movements and retrieval of personal information.
Affected vehicles spanned several Volkswagen Group brands, including VW, Seat, Audi, and Skoda. Geo-location data for 460,000 cars was discovered, with some entries detailing exact locations when the vehicles’ motors were turned off. The breach also impacted high-profile vehicles, such as patrol cars in Hamburg’s police fleet and es owned by individuals suspected of intelligence service affiliations.
Root Cause: Misconfigured Applications
Cariad attributed the breach to incorrect configurations in two of its IT applications. The issue was flagged by the Chaos Computer Club (CCC), a leading European organization of ethical hackers, which was notified of the vulnerability by a whistleblower. After confirming the security flaw, the CCC responsibly disclosed its findings to Cariad on November 26, providing detailed technical information.
According to reports from Spiegel, CCC members accessed the data after overcoming multiple security layers. Despite Cariad’s use of pseudonymization to protect individual privacy, the hackers were able to correlate various datasets to identify specific users.
Sensitive Data Discovered
Investigative journalists and IT experts from Spiegel were able to trace the movements of vehicles belonging to German politicians Nadja Weippert and Markus Grübel. By analyzing a memory dump from an internal Cariad application, the CCC found access keys to the cloud storage where customer data was stored. These keys led to records containing longitude and latitude coordinates, driver identities, and other sensitive details.
The breach impacted vehicles primarily in Germany (300,000), but also affected cars in Norway (80,000), Sweden (68,000), the UK (63,000), the Netherlands (61,000), France (53,000), Belgium (68,000), and Denmark (35,000).
Swift Response and Resolution
Upon receiving the CCC’s report, Cariad’s security team acted promptly, securing the vulnerable systems on the same day. CCC representatives confirmed that Cariad responded “quickly, thoroughly, and responsibly,” addressing the issue within hours.
Cariad’s investigation found no evidence that any unauthorized parties, aside from the CCC, accessed or misused the exposed data. The company also emphasized that the CCC hackers were only able to access stored vehicle data and did not gain control over the vehicles themselves.
Data Collection Practices and Customer Transparency
Cariad stated that the data collection practices comply with legal requirements, customer consent, and legitimate business interests. Customers can opt out of data-sharing features at any time. The company uses collected data to enhance digital functionalities, optimize vehicle performance, and improve user experiences.
While highlighting its commitment to data security, Cariad explained that anonymized data, such as charging habits, contributes to innovations like advanced battery systems and enhanced charging software. Strong privacy practices—including pseudonymization, restricted access rights, and data aggregation—are in place to safeguard customer information.
Cariad reaffirmed its dedication to maintaining customer trust and emphasized that digital advancements rely on responsibly handled data to deliver personalized and optimized vehicle features.