One of Volkswagen’s vendors left one of its systems open for nearly two years, exposing the personal data of 3.3 million customers – nearly all of them owners or wannabe owners of the automaker’s luxury brand of Audis – Volkswagen America said last week.
The breach took place between August 2019 and May 2021, Volkswagen said in a letter to the Maine Attorney General that was first spotted by TechCrunch reporter Zack Whittaker.
The car maker said that the data, mostly collected for sales and marketing, was exposed by a vendor used by Volkswagen, its Audi subsidiary and authorized dealers.
For upwards of 97 percent of the affected customers, the third party got access to personal information about customers and prospective buyers, including names, postal and email addresses, and phone numbers.
Other buyers or prospective buyers got hit harder, since they had more sensitive data – including Social Security numbers, dates of birth and driver’s license numbers – stored on the vendor’s leaky server, as Volkswagen explained in its letter:
For over 97% of the individuals, the exposed information consists solely of contact and vehicle information relating to Audi customers and interested buyers, including some or all of the following contact information: first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also includes information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages.
For approximately 90,000 Audi customers or interested buyers, the data also includes more sensitive information relating to eligibility for a purchase, loan, or lease. Nearly all of the more sensitive data (over 95%) consists of driver’s license numbers. A very small number of records include data such as dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers.
Why Did It Take Two Months to Secure that Server?
Volkswagen said that it first heard about the breach on March 10. The company didn’t explain why the leak continued up until last month as the unnamed vendor took two months to secure its server. It’s also unknown whether the data was downloaded by unauthorized third parties during the nearly two years it was left flapping open online. Threatpost has contacted Volkswagen for comment.
Any of Volkswagen’s customers or potential customers are at danger of fraud due to the breach. But customers who drive Audis are also susceptible to having their pricey rides ripped off: The 2021 Audi A4, for example, sets you back anywhere from $39,100 on up to $51,900.
Luxury cars are protected by deluxe anti-theft technology, but that technology can be foiled. This video shows thieves breaking into an Audi RS4 in just 90 seconds, by breaking the window and plugging a device — assumed to be a piece of equipment available online that’s used to silence alarms and program blank key fobs — into the dashboard.
But cybercrooks don’t have to resort to fancy gadgets to milk profits from car drivers. Instead, they can opt for less complex and sophisticated attacks, such as phishing or ransomware. They’ve learned that the data that automotive companies have to offer – from customer and employee personal identifiable information (PII) to financial data – is invaluable.
One example was when an attacker installed a keystroke logger on the workstation of a car dealership’s finance specialist, to obtain their credentials and access customer credit reports. Another launched a ransomware attack on Toyota Australia, leading to delays in servicing and disruption in the supply of parts.
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!