Auto manufacturers Volkswagen and Audi have been hit by a data breach following a vendor exposing unsecured data online, resulting in 3.3 million customers being affected.

As the German-owned Volkswagen Group’s subsidiary for North America, Volkswagen Group of America, Inc., or VWGoA for short, is responsible for all Canadian and US operations across several brands of car offered by the company. These include Audi, Lamborghini, Bugatti, Bentley and, of course, Volkswagen.

A recent data breach notice filed with the Attorney General for California and Maine saw VWGoA advise the authority that a vendor had erroneously left data that was unsecured exposed online from August 2019 to May 2021.

Details of a damaging data leak

The US subsidiary of the Volkswagen Group was informed by the vendor in question that an unauthorised individual had managed to access unsecured company data and could potentially have acquired Audi and Volkswagen customer information, along with content on authorised dealers for the brands.

VWGoA confirmed that the largescale breach had involved the data of 3.3 million customers. It added that more than 97 per cent of data affected related to Audi customers and potential buyers.

The type of personal information disclosed varies from customer to customer, but could potentially involve basic contact details to more sensitive data, like social security numbers.

A statement from the North American wing of Volkswagen commented:

“The data included some or all of the following contact information about you: first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, colour, and trim packages.”

The notification added that more sensitive data may also have included details related to customer eligibility for leases, purchases and finance. Over 95 per cent of the confidential information disclosed the customer’s driving licenses, however, a smaller number of data files included dates of birth, tax ID numbers, account numbers and social insurance numbers.

Customers impacted by a data breach

VWGoA wasted no time in notifying all impacted customers and prospective car buyers through emails that warned them to be on their guard and to look out for any suspicious telephone calls, text messages and emails.

For the 90,000 individuals who had the misfortune of having more sensitive personally identifiable information (PII) disclosed, Volkswagen is now providing them with free credit monitoring and protection services to safeguard against any fraudulent attacks. This protection also includes $1 million worth of insurance to defend the impacted customers against incidents of identity theft.

As the personal data was exposed for many months, it is impossible to measure how many unauthorised individuals may have accessed the records. Data subjects whose sensitive information was leaked in the incident are advised to implement a freeze on their personal credit report to make it more difficult for cybercriminals to attempt identity theft and gain lines of credit in their name.