Whoops: Volkswagen Leaks Sensitive Data Of 800,000 Electric Vehicle Owners
from the you-spent-45-minutes-at-a-brothel dept
Back in 2023 Mozilla issued a report indicating that automakers have some of the worst privacy and security standards in all of tech, routinely hoovering up oceans of consumer behavior and phone data then failing to adequately secure it. Senator Ron Wyden has been at the forefront of calls for Congress to shake off corruption and, you know, actually do something useful about it.
The U.S. Congress is too corrupt to function, so that never actually happens. Instead we get a rotating crop of avoidable scandals by companies that see no financial or reputational incentive to change.
Case in point: a new report by German magazine Der Spiegel found that a flaw in Volkswagen, Audi, Seat, and Skoda vehicle software exposed the personal data of more than 800,000 owners, including user email addresses, phone numbers, and addresses. The flaw in the companies’ software configuration and cloud storage also allowed intruders to track the location of some vehicle owners to “within ten centimeters.”
Politicians in Germany, who were among those impacted, aren’t amused:
“I’m shocked,” says [Nadja] Weippert when SPIEGEL shows her her location data from the past few months. As a state and local politician, she is exposed to hostility and threats. “It cannot be that my data is stored unencrypted in the Amazon cloud and then not even adequately protected,” she says. “I expect VW to stop this, collect less data overall and anonymize it in any case.”
Regular readers of course know that “anonymizing” is a gibberish terminology that doesn’t actually mean your data is secure. Regular readers also know that automakers collect way more data than they actually need, routinely fail to clearly inform car owners this data is being collected, sell access to numerous dodgy data brokers, and often fail to protect data integrity or encrypt sensitive consumer data.
Here in the States there’s, again, simply no meaningful incentive for change. Volkswagen is currently finishing losing a $3.5 million appeal related to the leak of data from more than 3.3 million current and potential car owners. If automakers do see fines, they’re a tiny fraction of the money being made from data over-collection and monetization, and can routinely be litigated down even further.
With the U.S. entering an unprecedented era of mindless deregulation at the hands of corrupt authoritarians (with regulatory independence on the immediate chopping block), you can absolutely expect these kinds of scandals to get worse. At least until there’s a scandal so massive in scope (likely exposing the bad habits of powerful people) that Congress is incentivized to shake off corruption.
Filed Under: automakers, cloud, hackers, location data, mozilla, privacy, security, surveillance
Companies: volkswagen
Comments on “Whoops: Volkswagen Leaks Sensitive Data Of 800,000 Electric Vehicle Owners”
VW SOLD the data. Execs privately profit from data “breach”. Needs IRS/HMRC independant financial audits as they’ll find unexpected millions in the staff bank accounts.
Re: Staff banbk accounts?
YOU THINK they are, in any way, THAT stupid?
Its Buried in Multiple PRIVATE, NOT STATE CONTROLLED, Banks.
If you can Ever find them.
Another story about some software bug or flaw.
I doubt the offending code was put there unintentionally, causing ‘problems’ resulting in ‘unexpected’ revenue.
It was a flaw huh … yeah, sure it was.
gdpr
In Europe land the gdpr has some teeth so a fine could be substantial
Re:
Substantial relative to what?
Minimum wage or the profit VW obtained due to their illegal activity?
The only way to ensure this data is never leaked is never to have created it in the first place. There is no reason cars should be connected to the internet.
Re:
How and why does it exist, anyway? Most people would (to my knowledge) not be buying from Volkswagen anyway, but from a dealer. So why does Volkswagen get the data?
One might think that handling recalls is a possible reason. But if VW is getting constant location updates, that means there’s already a communication channel by which they could send a “your vehicle’s been recalled” message. Of course, a two-way channel shouldn’t exist, which makes me think there’s no coherent privacy design at all.
When watching a family member use a phone app to start their (non-VW) car, and seeing it sometimes take dozens of seconds or fail inexplicably, I’ve occasionally joked that it must be sending messages around the world, perhaps to a worker in a Korean factory who’s actually controlling their ignition. Maybe it’s not so much of a joke. 20 years ago, this worked fine with just local radio communication; today, a Bluetooth keyfob would probably be sufficient (version 5 can work over hundreds to thousands of meters).
Re: Not true
Our VW ID.4 is connected to the internet.
1. One of the benefits we get is the ability to warm up the car in a cold grarage a few minutes before driving it.
2. Recurrent uses data to measure how our battery is performing.
Re: Re:
But we already had that technology, decades ago, without Internet dependence. And as noted above, Bluetooth could do it at a useful range, which means the feature would still be accessible via smartphone (or simpler devices for those who’d prefer them).
Why would battery measurement require Internet access? Dashboards had battery gauges long before people had mobile internet access. With modern cars having dozens of computers, some local storage, and at least one computer-style monitor, surely they could give an accurate and user-friendly interface locally.
Re: Re:
“One of the benefits we get is the ability to warm up the car in a cold grarage a few minutes before driving it.”
Do you also remote control the garage door open?
Re: Re: Re:
The ID.4 is an electric car, so that’s not necessary for safety. But most people do manage to work their garage doors remotely, without an internet connection. (For now, anyway. Don’t be too surprised if someone convinces the public that they need to be able to work their garage door, check on its status, and graph its statistics from anywhere in the world.)
Re:
Yup, absolutely no reason for your car radio to be able to connect to Spotify or Audible whatsoever. /s
The fine is humorous. The average sales price for VW is 32k (i assume higher for the luxury brands, but lets pretend 32k across the board.) So VW is fined 1/32000 = .003% of the sale price of a car. This is like someone earning $100k a year having an equivalent fine of $3. I’m sure that amount absolutely changes behavior. (Hopefully i mathed correctly…)
Soon, we will be at the point where the regulator has to nicely ask the offending company if an how much they can fine them.
Re:
With the Loper Bright in place, it will be sooner rather than later.
JUST a comment
So, How is your car connected to the Internet??
Unless there is a Hidden Direct connection Threw your Router??
Its Storing the data until it gets access to a Wireless connection? Where, and WHY are YOU paying for it with the price of the Car?
Its a wonder That IF’ that signal was delayed or discontinued, That the car would Disable or Cause you to Goto the VW repair service.
I dont Think congress would LOVE to hear that SOMEONE has direct access to tracking them. AND we should REMIND THEM OF THAT.
Wait. VW leaked the location data of a German politician through negligence (along with that of 800,000 other people, presumably all European), failed to notify, and… nothing? What happened to the GDPR and its ability to fine a business 20% of its global worth?
There’s no way that that data collection and storage was GDPR compliant.