Data from around 800,000 Volkswagen electric vehicles (EVs) has been exposed and available to hackers after the German auto giant’s software subsidiary reportedly recently suffered a security flaw.
German publication The Mirror reports that Volkswagen’s subsidiary Cariad – previously responsible for delayed EV launches and software platforms – had a security flaw that allowed hackers to easily access vehicle data.
This vulnerability was shared with both of them by a whistleblower The Mirror and the hacker-centric Chaos Computer Clubbut it is clear that the data has not been used for nefarious purposes.
About 300,000 of the 800,000 vehicles were registered in Germany, but a number of other European countries and Britain were also involved.
There are hundreds of new car deals available through AutoExpert now. Get the experts on your side and score a good deal. Browse now.
Although Cariad has patched the vulnerability, The Mirror says the data can easily be used to create a detailed profile of a Volkswagen ID.3 or ID.4 owner’s daily movements and the status of their vehicle.
“For about half of those affected, including owners of the Volkswagen ID.3 and ID.4 models, the data is particularly detailed,” the publication reports in a translated excerpt.
“It shows when the car in question is switched on and when and where exactly it is switched off. Most of the data dates back to 2024, but some goes back further.
“Criminals or spies could derive detailed movement profiles from this data. For example, it may be interesting for foreign intelligence services to see whose car is parked near Federal Intelligence Service buildings or driving to the US Air Force airport in Ramstein every day between 8 a.m. and 5 a.m. – the Cariad data indicated this . ”
According to the publication, the data can also be used to access the owner’s online addresses to create credible phishing emails and impersonate Volkswagen to obtain credit card information.
The data even showed that those who could see it, some owners had been driven to a brothel, opening the possibility of blackmail.
While the location accuracy of Volkswagen and Seat models was found to be accurate to within 10cm, Audi and Skoda EVs were considered ‘less problematic’ as they could only be tracked to within 10km.
When asked why it collects this data, Cariad told the publication that it has “pseudonymized data on customer charging behavior and habits,” but said the data is never collected in a way “that makes it possible to draw conclusions about individual people or movement profiles. .”
The software company described the security flaw as a “misconfiguration” and told the publication “to our current knowledge, no one other than the CCC has accessed the systems and we have no evidence of any misuse of data by third parties.”
German publication last year manager magazineand later Reutersreported that 2,000 jobs at Cariad would be cut between 2024 and the end of 2025.
