Massive VW Data Leak Exposed 800,000 EV Owners' Movements (carscoops.com) 58
A new report reveals that the VW Group left sensitive data for 800,000 electric vehicles from Audi, VW, Seat, and Skoda poorly secured on an Amazon cloud, exposing precise GPS locations, battery statuses, and user habits for months. Carscoops reports: It gets worse. A more tech-savvy user could reportedly connect vehicles to their owners' personal credentials, thanks to additional data accessible through VW Group's online services Crucially, in 466,000 of the 800,000 cases, the location data was so precise that anyone with access could create a detailed profile of each owner's daily habits. As reported by Spiegel, the massive list of affected owners isn't just a who's-who of regular folks. It includes German politicians, entrepreneurs, Hamburg police officers (the entire EV fleet, no less), and even suspected intelligence service employees. Yes, even spies may have been caught up in this digital debacle.
This glaring error originated from Cariad, a VW Group company that focuses on software, due to an error that occurred in the summer of 2024. An anonymous whistleblower used freely accessible software to dig up the sensitive information and promptly alerted Chaos Computer Club (CCC), Europe's largest hacker association. CCC wasted no time contacting Lower Saxony's State Data Protection Officer, the Federal Ministry of the Interior, and other security bodies. They also gave VW Group and Cariad 30 days to address the issue before going public. According to CCC, Cariad's technical team "responded quickly, thoroughly and responsibly," blocking unauthorized access to its customers' data.
This glaring error originated from Cariad, a VW Group company that focuses on software, due to an error that occurred in the summer of 2024. An anonymous whistleblower used freely accessible software to dig up the sensitive information and promptly alerted Chaos Computer Club (CCC), Europe's largest hacker association. CCC wasted no time contacting Lower Saxony's State Data Protection Officer, the Federal Ministry of the Interior, and other security bodies. They also gave VW Group and Cariad 30 days to address the issue before going public. According to CCC, Cariad's technical team "responded quickly, thoroughly and responsibly," blocking unauthorized access to its customers' data.
GDPR - bite hard! (Score:3)
This will demonstrate whether EU mega-corps can avoid responsibility for their mistakes, or whether the EU is willing to upset its own major firms. But don't expect any clear decisions before the German election in February; the EU fining VW would be a vote winner for the AfD who are Euro-sceptics.
Re: (Score:2)
Potentially 4% of global revenue, but it depends on the circumstances. Malice, gross incompetence, poor response, attempted cover-up etc. And of course the nature of the data and number of victims, which is likely to be VW's biggest worry.
Re: (Score:3)
I don't see an attempted cover-up here, and Cariad's response was immediate and effective. The breach was massive - and appears to have been in place for around 5-6 months - but we don't know who noticed (apart from the whistleblower).
Re: (Score:2)
If any of the data leaks out they are really screwed.
Re: (Score:1)
Perhaps the scapegoat for emmissions-gate might come back for another run?
Re: (Score:3)
It wasn't any mistake to inappropriately collect it all in the first place. None of it should ever have been on record as a mass collection.
Re: (Score:2)
This is the real question. Also: such collection should be a matter of user choice: opt in not opt out.
Re: (Score:2)
Also: such collection should be a matter of user choice: opt in not opt out.
Collection of data not necessary for operations should be banned. That is the only way to protect from leaks/misuse -don't collect it in the first place.
Re: (Score:2)
This. Why does this data exist in the first place?
Ages ago, in antediluvian times, it was taught in computer science about data collection. Back then, it was syslog servers where that data could tell about not just when people logged in, but what they did, especially with process accounting logs. Stuff was filtered, so only critical stuff was sent to the log server and logs on machines were set to only allow relevant stuff and were rotated out frequently. If the data was not there or if it was nuked sho
Re: (Score:1)
Nice conspiracy theory. In reality the EU go after their own firms for the GDPR violations all the time. Also not having done anything soon has zero to do with an election, the EU is very slow pursuing GDPR violations, VERY slow. Forget this election, if this is pursued you may see something happen next election.
By the way exposing data via an unintentional data breach isn't a violation of the GDPR. What may be a violation is the reporting and handling of it.
Re: (Score:2)
Looks like conspiracy nutjobs have mod points today. Oh well, greeting comrades!
Re: (Score:1)
VW will be judged by a court of law.
Not by the ruling party and not by any other party.
Re: (Score:2)
Re: (Score:2)
only move
every move.
The leak isn't the real problem. (Score:5, Interesting)
If someone knew how to configure S3 buckets the people in that data set wouldn't be safe; they'd just have no idea who had the data or how they got it, data brokerage not being a business that seeks attention.
Re: (Score:2)
The even more damning thing is that it is a safe assumption that this isn't the entire dataset and that others movements have and are still being tracked. Toyota's data breach of 2.15 million owners (mentioned in TFA twice for reasons) is just for one country.
> Cariad reassured customers that no sensitive data—such as passwords or payment information—was exposed, emphasizing that they “don’t need to take any action, as no sensitive information like passwords or payment data is aff
Re: (Score:2)
Yes, why do they collect that data? Let's see their lawful justification under GDPR.
Re: (Score:3)
Hmm yes why WOULD a manufacturer be interested in detailed information about how people use their products? I can't think of anything useful that could be learned, especially nothing that could be used to better fit their products' features and capabilities to real-world usage.
Seriously though, regardless of how you feel about Big Data practices, the "lawful justification" for collecting it seems absolutely trivial in this instance.
=Smidge=
Re: (Score:2)
Every business can make some kind of argument for why it collects data about customers or users. The existence of an argument doesn't equate to "lawful basis". The most plausible basis in this case, "legitimate interests", is lawful when:
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Complete geolocation data is almost certainly not necessary for the interest you outline, and presumably does not outweigh the rights of the data subject.
Re: (Score:2)
Yes, exactly. The right to privacy is a human right, and whilst it isn't an absolute right, it does have to be considered in balance, and is more important than, legitimate interests. You can't just collect data because you'd like to. Your TV can't capture all your family's reactions and conversations just because the TV manufacturer's partners are interested in whether you like the adverts and shows.
Re: (Score:2)
> Complete geolocation data is almost certainly not necessary
Playing Devil's advocate; Detailed geolocation data gives a better picture of each driver's real-world, daily driving needs including distances, speeds, terrain (paired with topo data) and even weather conditions (paired with time and location). This data allows evaluation of the vehicle's necessary performance to meet the demands of the customer base in aggregate, and future designs can be refined to optimize cost against those demands.
That's
Re: (Score:2)
Option (a) has to be meaningfully opt-in, which wouldn't be the case for this kind of mass collection.
As for the "legitimate interests" clause, you are not playing devil's advocate, you are okaying "stupid git who pretends the threshold is helpful when the law says necessary".
Re: (Score:2)
> Option (a) has to be meaningfully opt-in, which wouldn't be the case for this kind of mass collection.
Bullshit. In order for the tracking to happen, you need to enable telematics. In order to enable telematics, you need to agree to the TOS. This happens as part of the paperwork when you buy or lease a vehicle - one of those half dozen or so signatures you provided was a that. You explicitly acknowledge that they collect various data about your driving habits and agree to let them do it. Their privacy s
Re: (Score:2)
Re: (Score:2)
The law says "necessary" -- it's in the bit I quoted in the first place! -- and the law means "necessary", not merely helpful. Similarly, consent must be freely given. It cannot be made obligatory though terms of service or some other contract: https://gdpr.eu/gdpr-consent-r... [gdpr.eu]
Re: (Score:2)
Ok, now please show where these car companies informed people that this data was being collected and that the reasons you give are the purpose of the collection, and also, where do they state the retention periods for the data and when they would delete it. Also show where these companies provided a way to remove consent which was as easy to do as giving consent. (There's a few more requirements but we can start with those!)
Re: (Score:2)
Tell me you've never leased or purchased a new car without telling me. Surely you're aware that the process involves a certain amount of paperwork? What do you suppose they need so many signatures for?
Spoiler alert one of those is agreeing to the Terms of Service [con-veh.net] for their telematics service, giving them permission to spy on your driving habits [vw.com].
Now those are the US versions of those documents of course, but the content is going to be largely the same. Digging up the EU versions for your country of choice is
Re: (Score:2)
Thanks for the link to the terms. I think under GDPR, with those terms, and what's
in that data breach, they are in trouble.
Re: (Score:2)
If that was the primary motivation there would be an "Off" button somewhere.
I wouldn't trust the button, of course, which is why I'd go for a physical disconnect of the wireless gear. My understanding is that they make that impractical-to-impossible.
And that's why I'm driving a vehicle from 23 years ago. My next one will probably be even older, retrofitted with a modern EV drivetrain of course. It's to the point where you basically have to get a car tailored now to bypass all the tech garbage. Highly inconv
Re: (Score:2)
On the other hand, why do companies have to collect so much data? Why does anything electronic have to have a constant telemetry stream? Yes, product refinement is one thing, but this was very well done before every device had to spy on Big Brother levels. For example, a designer of a bare bones fleshlight app doesn't need to know your location, contacts, ask for root permissions, and demand microphone access.
Who cares about product refinement? Companies have that figured out long ago. The slurping of
I'm so darn glad I disabled GPS on my car (Score:5, Insightful)
I have a Seat Mii. I have not checked if my car is affected but I don't need to. Day one after getting home with the car was to hook up OBDEleven into it, go to the telematics module, and disable GPS unit.
Only problem is that the remote control functions like heating and the like start to fail every few months, because apparently the protocol used between the car and VW group's servers have some timestamps in them, and after a few months the car's clock has started drifting. So I'll enable GPS for a few minutes to get the clock back into sync and then disable it again.
The location info has shown the car being parked in my yard for past four years. I *do* enable it occasionally - e.g. when away from home and not using the car myself - in case some non-tech-savvy thief decides to make off with the car.
Re: (Score:2)
This is great, until they disable that method of disabling it. I don't have a car that tracks me in any way. But if I did, I would seek doing something just like you do. Where I am and where I go is absolutely nobody's business buy my own.
I guess then the next step is to try to locate the antenna and put a remote switch. But, they might use it for bluetooth or something else as well and you lose that. Then you try to put an inline GPS frequency filter in-line. And with all the cases you lose the abil
Re: (Score:2)
Yeah, the module actually has no direct setting to disable GPS as such. My method of disabling is to switch the active antenna socket (apparently the box has two). When I switch it to one that does not have anything attached, then the box loses location data and time sync.
Probably have to use something like that afterwards.
The manual *does* specifically list that I could disable *all* telemetry at the dealership, but I actually prefer the capability to enter a warmed-up car in winter mornings. This method a
Re: (Score:2)
You shouldn't have to "share" your location in order to remote start your car or any other function. It was designed to punish people for not bending over to take it.
Re: (Score:2)
I just wonder why, as customers, always have to be always in a jailbreaking arms race with the car makers? Why not do something like a physical DIP switch array in some fairly accessible place, where one can just flip a switch to physically power off the cellular antenna, GPS antenna (GPS can work as receive-only), Wi-Fi, Bluetooth, and other stuff. Same with the keyfob. I'd rather have it work like a regular remote (hit the unlock button to unlock), then wave it near the start/stop button and let NFC d
Re: (Score:3)
That's all good and fine until you drive an EV. Having GPS and using the integrated vehicle is borderline essential for longer travel distances, not the least of which you get some semi automated battery management - by that I mean very useful suggestions for charging and estimations of end charge.
Re: (Score:2)
While you disabled GPS, there are other data that is collected
Elephant in the room (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3)
Knowing how customers use your product can help you design a better product for them (you know how you complain about Windows removing the functions you like while in the same breath sharing tips on how to disable telemetry?) For EVs especially it's good to understand how battery management and regen is being used by the majority of your customers.
But there are value added features as well, such as the API recalling where you parked your car, or automatic log-booking for taxation purposes if that's a thing
Re: (Score:2)
The an$wer is right in front of you.
Re: (Score:2)
The an$wer is right in front of you.
it is not even money. Automakers Sold Drivers' Data for Shockingly Low Amounts of Money [caranddriver.com]
Oh no, gotta check... (Score:2)
Need BIG fines (Score:2)
Data loss should be fined at the level of 1000, to 10s of thousands of dollars per individual - in line with the harm to people who have to deal with identity theft and other impacts, combined with a punitive multiplier. Give industry a REAL financial incentive to protect, of better NEVER COLLECT the data in the first place. Why does my car manufacturer need to record my GPS location?
Re: (Score:2)
Re: (Score:2)
VINs are anonymous. They identify the car you're looking at and manufacturer information behind it and have no information about the owner. Heck many governments provide VIN looking database to people and businesses for a small fee. A separate database is needed for owner information and if you have access to that then the vehicle information is borderline worthless to you.
Re: (Score:3)
Throw the CEO and BOD in the clink if the car is discovered to be reporting back to HQ. Make it a 2-5 year sentence. It would stop immediately. Seriously, can you imagine how f
Re: (Score:2)
in line with the harm to people who have to deal with identity theft and other impacts,
"And other" is a great way of saying "I can't think of how this affects people". Identity theft is a good start, but the overwhelming majority of people will not experience identity theft as a result of this so if you want to actually put a dollar sign to the impact you're going to be very disappointed at the actual result.
Here particularly you could do the same identity theft by walking down the street and looking in someone's mailbox while noting down what car is parked in their driveway.
/o\ | \o/ (Score:1)
This implies there are tiers and that ordinary people are at the bottom.
Why (Score:1)
A WARNING against self-driving cars (Score:2)
Remember the Emission Scandle? (Score:2)
I know several people who felt that VW was being picked on so badly by Big Government that they bought a VW. This warms my heart even more.
Please please please punish someone. (Score:2)
Now... probably lots of someones, honestly. No punishments I care about means no reason to change. Customers can't choose not to give them information so...