Volkswagen announced that a massive data breach exposed the personal information of over 3.3 million customers after one of its vendors left a cache of customer data unencrypted on the internet. In a letter to customers, Volkswagen said that the vendor utilized by Volkswagen, its subsidiary Audi, and authorized dealers in the United States and Canada had left customer data from 2014 to 2019 unsecured for two years between August 2019 and May 2021.
Personal information about clients and potential buyers were included in the data, which was collected for sales and marketing purposes. Volkswagen Group of America, Inc. (VWGoA) is the German Volkswagen Group's North American subsidiary, responsible for Volkswagen, Audi, Bentley, Bugatti, Lamborghini, and VW Credit, Inc. operations in the United States and Canada.
Between August 2019 and May 2021, a vendor left insecure data accessible on the Internet, according to data breach notices submitted with the California and Maine Attorney General's offices. This specific vendor informed the VWGoA in March that an unauthorized person had gained access to the data and may have accessed customer information for Audi, Volkswagen, and some authorized dealers.
According to VWGoA authorities, the hack affected 3.3 million customers, with almost 97% of those affected being Audi customers or potential buyers. The data breach appears to have exposed information ranging from contact information to more sensitive data including social security numbers and loan numbers.
"The data included some or all of the following contact information about you: first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages," disclosed VWGoA in a data breach notification.
"The data also included more sensitive information relating to eligibility for purchase, loan, or lease. More than 95% of the sensitive data included was driver’s license numbers. There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers."
The hackers are demanding between $4,000 and $5,000 for all of the records, claiming that the database contains no social security numbers. The threat actors earlier stated that the database for a VPN service provider with various Android apps on the Google Play Store was on sale for $1,000.
Volkswagen is offering free credit protection and monitoring services to the 90,000 customers whose personal information was exposed, as well as $1 million in identity theft insurance.