Massive VW Data Leak Exposed 800,000 EV Owners' Movements (carscoops.com)
(Saturday December 28, 2024 @05:00AM (BeauHD)
from the would-you-look-at-that dept.)
- Reference: 0175776601
- News link: https://yro.slashdot.org/story/24/12/27/2256234/massive-vw-data-leak-exposed-800000-ev-owners-movements
- Source link: https://www.carscoops.com/2024/12/vw-group-data-breach-exposed-location-info-for-800000-evs/
A new report reveals that the VW Group left sensitive data for 800,000 electric vehicles from Audi, VW, Seat, and Skoda poorly secured on an Amazon cloud, [1]exposing precise GPS locations, battery statuses, and user habits for months . Carscoops reports:
> It gets worse. A more tech-savvy user could reportedly connect vehicles to their owners' personal credentials, thanks to additional data accessible through VW Group's online services Crucially, in 466,000 of the 800,000 cases, the location data was so precise that anyone with access could create a detailed profile of each owner's daily habits. As reported by [2]Spiegel , the massive list of affected owners isn't just a who's-who of regular folks. It includes German politicians, entrepreneurs, Hamburg police officers (the entire EV fleet, no less), and even suspected intelligence service employees. Yes, even spies may have been caught up in this digital debacle.
>
> This glaring error originated from Cariad, a VW Group company that focuses on software, due to an error that occurred in the summer of 2024. An anonymous whistleblower used freely accessible software to dig up the sensitive information and promptly alerted Chaos Computer Club (CCC), Europe's largest hacker association. CCC wasted no time contacting Lower Saxony's State Data Protection Officer, the Federal Ministry of the Interior, and other security bodies. They also gave VW Group and Cariad 30 days to address the issue before going public. According to CCC, Cariad's technical team "responded quickly, thoroughly and responsibly," blocking unauthorized access to its customers' data.
[1] https://www.carscoops.com/2024/12/vw-group-data-breach-exposed-location-info-for-800000-evs/
[2] https://www.spiegel.de/netzwelt/web/volkswagen-konzern-datenleck-wir-wissen-wo-dein-auto-steht-a-e12d33d0-97bc-493c-96d1-aa5892861027
> It gets worse. A more tech-savvy user could reportedly connect vehicles to their owners' personal credentials, thanks to additional data accessible through VW Group's online services Crucially, in 466,000 of the 800,000 cases, the location data was so precise that anyone with access could create a detailed profile of each owner's daily habits. As reported by [2]Spiegel , the massive list of affected owners isn't just a who's-who of regular folks. It includes German politicians, entrepreneurs, Hamburg police officers (the entire EV fleet, no less), and even suspected intelligence service employees. Yes, even spies may have been caught up in this digital debacle.
>
> This glaring error originated from Cariad, a VW Group company that focuses on software, due to an error that occurred in the summer of 2024. An anonymous whistleblower used freely accessible software to dig up the sensitive information and promptly alerted Chaos Computer Club (CCC), Europe's largest hacker association. CCC wasted no time contacting Lower Saxony's State Data Protection Officer, the Federal Ministry of the Interior, and other security bodies. They also gave VW Group and Cariad 30 days to address the issue before going public. According to CCC, Cariad's technical team "responded quickly, thoroughly and responsibly," blocking unauthorized access to its customers' data.
[1] https://www.carscoops.com/2024/12/vw-group-data-breach-exposed-location-info-for-800000-evs/
[2] https://www.spiegel.de/netzwelt/web/volkswagen-konzern-datenleck-wir-wissen-wo-dein-auto-steht-a-e12d33d0-97bc-493c-96d1-aa5892861027
The leak isn't the real problem. (Score:2)
by fuzzyfuzzyfungus ( 1223518 )
The damning thing isn't so much that they leaked the data; that's just giving it away for free rather than more discretely finding people willing to pay for it; but that they gathered the data in the first place.
If someone knew how to configure S3 buckets the people in that data set wouldn't be safe; they'd just have no idea who had the data or how they got it, data brokerage not being a business that seeks attention.
GDPR - bite hard! (Score:2)
This will demonstrate whether EU mega-corps can avoid responsibility for their mistakes, or whether the EU is willing to upset its own major firms. But don't expect any clear decisions before the German election in February; the EU fining VW would be a vote winner for the AfD who are Euro-sceptics.
Re: (Score:2)
Potentially 4% of global revenue, but it depends on the circumstances. Malice, gross incompetence, poor response, attempted cover-up etc. And of course the nature of the data and number of victims, which is likely to be VW's biggest worry.
Re: (Score:2)
It wasn't any mistake to inappropriately collect it all in the first place. None of it should ever have been on record as a mass collection.