The information, primarily the vehicles’ locations, had been collected through Internet connections and mobile apps
- Data from more than 800,000 EVs from Volkswagen Group was left unprotected for months in cloud storage
- The error was quickly rectified when discovered, and fortunately it looks like no one actually got into it
- The info included vehicle location and was gleaned through the cars’ Internet connections and mobile apps
The newspaper reported that “a volume of several terabytes of data,” covering some 800,000 EVs, was “largely unprotected and accessible for months in Amazon cloud storage.” When CCC contacted Cariad in late November, the automaker “responded within a few hours” and fixed the problem. Most of the data had been collected in 2024, and only from vehicles whose owners had connected the car to the Internet and signed up for the online services.
Spiegel reports that precise location data was available for 460,000 vehicles — including an ID.3 owned by Nadja Weippert, the mayor of the municipality of Tostedt, near Hamburg. She also sits in parliament as a member of the Greens political party — where she is a spokesperson for its data protection.
The newspaper reports that she got the car in September and downloaded the Volkswagen app, which allows a user to check the battery and control charging from a phone, among other features. Through it, the car collected and transmitted data to the automaker. The unprotected cloud storage showed a detailed profile, including the car being parked at the Tostedt town hall, Weippert’s physiotherapist’s office, and her two-day trip to a state party conference.
Reports are the unsecured data also profiled all the locations of a vehicle owned by a former State Secretary in Germany’s Ministry of Defense; and some 35 electric vehicles used as patrol cars by the Hamburg police department.
Speigel reported a deeper dive into the cloud storage could potentially have revealed all registered users of the mobile app, including their email addresses and phone numbers. Cariad told the newspaper that it would have required a “high level” of specialized knowledge to bypass several security mechanisms and combine different data sets, and called the error a “misconfiguration” rather than a security gap. Cariad also said that users’ passwords and payment data were not affected.
The majority of vehicles with improperly-stored data were in Germany, but some were also from Belgium, Denmark, France, Netherlands, Norway, Sweden, and the United Kingdom.
Sign up for our newsletter Blind-Spot Monitor and follow our social channels on X, Tiktok and LinkedIn to stay up to date on the latest automotive news, reviews, car culture, and vehicle shopping advice.