Volkswagen and its subsidiary Audi have become embroiled in a massive data breach that exposes the personal data of more than 3.3 million customers. On June 11th, 2021, the Volkswagen Group of America, Inc. sent letters to customers and interested buyers who were affected by the breach, explaining that data such as dates of birth, social security or social insurance numbers, and tax identification had been stolen.
To make matters worse, the security team at PrivacySharks found the sensitive data for sale on the popular hacking forum, RaidForums. (View it here, click at your own risk) This means that many customers and prospective buyers for Volkswagen, Audi, and several authorized dealers could have their sensitive information sold to anyone willing to pay between $4,000 to $5,000.
What data was stolen in the Audi and Volkswagen breach?
The Volkswagen group revealed that the majority of data that was stolen was gathered for sales and marketing purposes. This data contained customers’ names and contact information like postal mailing addresses, email addresses, and contact phone numbers.
As well as the above, the data revealed whether customers had purchased, leased, or inquired about a vehicle and included information such as the Vehicle Identification Number (VIN), trim packages, and the make and model.
While it is bad enough that the above data was stolen, over 90,000 customers endured a worse fate; sensitive data about some US and Canadian customers were exposed, such as dates of birth, account or loan numbers, Social Security numbers, and tax identification numbers. Driver’s license numbers were also left unsecured, as was data regarding customers’ eligibility to take out a loan or lease a vehicle.
How was the Volkswagen data stolen?
A letter from the Volkswagen Group of America, obtained by TechCrunch, states that an unnamed vendor left a cache of customer data unsecured between August 2019 and May of this year, before the company became aware of the issue. In the letter, Volkswagen states:
We believe that the data was obtained when the vendor left electronic data unsecured at some point between August 2019 and May 2021, when we identified the source of the incident.
It has since been claimed by many sites, including Bleeping Computer, that the data was found in an unsecured Azure BLOB container. This is a huge blow to the company and no doubt creates a massive loss of trust from consumers.
Where is the data being sold?
Our experts have seen the sale that was posted on June 15th, 2021, and can confirm that the data is being sold on a popular hacking forum. The seller states that they have data relating to over 3.8 million leads and 1.7 million sales at Audi.
Although the stolen data contained Social Security numbers, this data does not appear to be a part of the data for sale, which might offer some small reassurance to Volkswagen and the individuals affected by the breach.
Volkswagen’s response to the data breach
As mentioned above, Volkswagen became aware of the exposed data in May 2021 and sent clients caught up in the breach a letter detailing what had happened on June 11th.
In the letter, Volkswagen set out the steps it is taking to resolve the issue. Aside from alerting the authorities and working with the vendor and cybersecurity experts, the company is offering the affected USA and Canadian customers free credit protection.
The credit protection service includes 24 months of credit and Cyberscan monitoring as well as a $1,000,000 insurance policy and access to identity theft recovery services. It’s a small price for the company to pay, given that it has unintentionally exposed the data of many of its customers.
The consequences of the data breach on customers
The consequential dangers of data breaches are well-known, including identity theft. However, in this situation, the biggest loser of all may well be Volkswagen. The company’s admittance that one of its vendors left a considerable amount of data unsecured for over 2 years is quite frankly an embarrassment and will surely affect the reputation of Volkswagen and Audi going forwards.
However, when events like this occur, it almost always leads to better security solutions. We expect to see Volkswagen increase the security measures that its subsidiaries and authorized dealers employ from now on.
What are your thoughts on this data breach and Volkswagen’s handling of the situation? Leave a comment below and let us know!
Volkswagen letter: https://www.documentcloud.org/documents/20806130-audi-volkswagen-letter
List, sold at Raid Forums: https://raidforums.com/Thread-SELLING-audiusa-com-2019-5m