Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Security

Hackers Are Selling Data Stolen From Audi and Volkswagen (vice.com) 22

On Friday, Volkswagen disclosed a data breach that it said affected 3.3 million customers and interested buyers. On Monday, hackers put the data stolen from the car maker on sale on a notorious hacking forum. From a report: In the sales listing reviewed by Motherboard, a hacker that goes by 000 wrote that the data included email addresses and Vehicle Identification Numbers (VIN). The hacker also posted two samples of the data, which included full names, email addresses, mailing addresses, and phone numbers. The type of data seems to align with what Volkwagen admitted was stolen. In a website set up by a cybersecurity vendor on behalf of the car maker, Volkswagen said that "the majority" of affected data included: "first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color and trim packages."

But for 90,000 victims, the data also included "more sensitive information relating to eligibility for a purchase, loan, or lease. Nearly all of the more sensitive data (over 95%) consists of driver's license numbers," according to the company, which added that the majority of data pertains to Audi customers and interested buyers in the US and Canada only. The company also said it believes the data was left unsecured by a vendor. (Audi is owned by the Volkswagen Group.) "There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers," the website read.

This discussion has been archived. No new comments can be posted.

Hackers Are Selling Data Stolen From Audi and Volkswagen

Comments Filter:
  • So I guess nothing was stolen from Porsche?
    • Different business units are usually managed separately.

      • realization.
        volkswagon can not build cars.
        i guess i should not be surprised that volkswagon is also thoughtless about company information

    • Indeed.
      Volkswagen, Audi, SEAT, KODA, Bentley, Bugatti, Lamborghini, Porsche, Ducati, Volkswagen Commercial Vehicles, Scania and MAN.. it's all VW.

      Only Rolls Royce is BMW.

  • by peterww ( 6558522 ) on Thursday June 17, 2021 @11:29AM (#61496686)

    HIPAA regulations help ensure that the people you give your Personal Health Information to can't just send the data willy-nilly to anyone at all, that the people that have access to them must have a good reason for it, and that they have to take some basic precautions to protect the information.

    PCI regulations help ensure similar things about credit card data.

    But there's no regulation that specifically protects *other* sensitive information, like social security numbers and drivers' license numbers. If we had regulations covering those, businesses would be required to perform the most basic protections for this data, and not send them or keep them just anywhere.

    A handful of states have enacted varying laws about what you can and can't do with a SSN. But they're not standard, and only protects a fraction of the country (and only businesses in those states). https://advocacy.consumerrepor... [consumerreports.org]

    Meanwhile, the federal government knows this is a problem, but doesn't do much about it. In 2010, they created a law purely to stop printing SSNs on checks they issue, and to prevent prisoners from getting lists of SSNs. Well I guess that'll solve it... https://www.thebalance.com/soc... [thebalance.com]

    Regulations are not foolproof. But I can tell you from personal experience that companies I have worked for only started giving a crap about credit card data, health data, and personal information, after federal regulations created penalties for their misuse.

    • But there's no regulation that specifically protects *other* sensitive information, like social security numbers and drivers' license numbers.

      SSN: Given to you by the government.
      DLN: Given to you by the state.
      Phone#: Given to you by a monopoly.

      Seems right in line who should be doing the management.

    • But there's no regulation that specifically protects *other* sensitive information, like social security numbers and drivers' license numbers.

      This is fixing the problem from the wrong end.

      What we should be doing is banning the use of these numbers for authentication. No financial or credit-issuing company should use the knowledge of these numbers as a verification of identity. Then it doesn't matter if they leak.

  • I've been worried about my 1981 Volkswagen Dasher warranty and was hoping someone would reach out to me about extended it.
  • Instead of attacking and trying to catch the hackers who got the information, and sold it. You should target those who had bought and used such information.
    Being large fines, jail time, or a fleet of Apache Helicopters going to their location.

    The actual hacker may just be a lone wolf, some kid who just stumbled onto a security flaw, they may be difficult to track down. However if the data is bought for millions of dollars, chances are it is going to be targeted towards an organization, wealthy person, or

    • by Luthair ( 847766 )
      Probably the primary buyers here will be people looking to phish the people in the leak, or looking to commit identity frauds.
    • While that would be helpful, our courts have now made it perfectly legal for any random DMV person or cop to do the same, regardless of what vehicle you own. They need access to this information to do their jobs and misusing it for non-work purposes is no longer considered a criminal act.
  • by 140Mandak262Jamuna ( 970587 ) on Thursday June 17, 2021 @12:00PM (#61496814) Journal
    Most of the data seems to be contact info and prosaic things like driver license numbers. This public and trivial information should not have any serious consequences to anyone if they get leaked in the net.

    But most of the lenders are so lax they lend to anyone based on name, address, date of birth and social security number. Again that too should be the problem of the lender, but they way US laws are structured, if someone claims to be me and borrows, it is up to me to prove it was not me. I should be able to say, "You lent the money, You did the verification. Prove that I did the borrowing. If you blindly report to credit reporting agencies that I have defaulted on loan mistakenly you are liable for all damage cause by such a report under libel and slander laws". . But I can't, and that is the root cause of the problem. I am not big enough to fight the banks.

    • But most of the lenders are so lax they lend to anyone based on name, address, date of birth and social security number. Again that too should be the problem of the lender, but they way US laws are structured, if someone claims to be me and borrows, it is up to me to prove it was not me. I should be able to say, "You lent the money, You did the verification. Prove that I did the borrowing. If you blindly report to credit reporting agencies that I have defaulted on loan mistakenly you are liable for all dama

  • Probably Audi and VW did it themselves to act like there is something worth stealing from them. If it were SpaceX or Tesla stuff that would be more of value. Whatâ(TM)s there to find out from VW? How to make a Golf clone? Are you kidding me? Who would want to do that?

    • by PPH ( 736903 )

      What's there to find out from VW?

      Who knows?

      I acquired a used Audi a few years back. It was either I take it (for free) or it had to be towed to the car crusher. Previous owner signed it over to me and I registered it at my PO box (as I do with all my vehicles). A few months later, Audi starts sending me maintenance reminders and ads for new models. To my home address. How'd they get that? I'm pretty certain I know how. Our state sells whatever personal data it has on its subjects to anyone who will pay cash. But now it's in the VAG databa

  • All I ever got from VW was a marketing questionnaire about why I chose to buy the car I did (VW Golf) back in 2016. One question was what other models I considered, and the answer was Toyota Prius and Tesla Model S. It felt slightly surreal then I wrote that down. All other communication (e.g. service reminders) has been from the dealer.

    I wouldn't mind a bit more data from VW, like how to update the GPS navigation database. It's starting to show its age.

    ...laura

"Your stupidity, Allen, is simply not up to par." -- Dave Mack (mack@inco.UUCP) "Yours is." -- Allen Gwinn (allen@sulaco.sigma.com), in alt.flame

Working...