Joe Green @TechForge_Media joe@techforge.pub “e30 bmw 325i sport” by slinky2000 is licensed under CC BY-NC-SA 2.0 A report in German magazine Der Spiegel [German language] has revealed that highly personal data about 800,000 vehicle drivers was left unprotected and easily-accessible from car makers VW and detailed location data for around 460,000 vehicles including police cars and those of business leaders and politicians in Europe The data was left largely unprotected and un-encrypted on AWS by VW subsidiary, Cariad. Investigators at Der Spiegel and the Chaos Computer Club (CCC) found that browsing parts of the Cariad corporate website exposed directory listings which allowed access to the data collection using little more than simple tools accurate in some cases down to ten centimetres showed where cars had travelled over the course of 2024 including where they’d been parked and which charging stations had been used who sits in the Lower Saxony state parliament and is the mayor of Tostedt the news of the data’s open availability was particularly alarming; she is the data protection spokesperson of the Green group for the area “I’m shocked,” Weippert said “[…] My data is stored un-encrypted in the Amazon cloud and even then not adequately protected [or] collect less data and at least anonymise it.” Some cars provided richer data collection than others investigative researchers at Der Spiegel and the CCC found The VW models ID.3 and ID.4 both require their owners to use a smartphone app to get access to all the features of the vehicle and once phone and vehicle data is correlated in software rich information is fed to the manufacturer and its subsidiary Cariad The Mozilla Foundation dedicated an entirely separate addendum on automobile manufacturers’ practices when it compiled its ‘Privacy Not Included‘ report noting that 86% of car makers bundle their customers’ collected data and sell it to data brokers although it’s claimed by the industry that such information is anonymised But as even trainee data specialists will attest de-anonymising data by simple cross-referencing it with other sources turns ‘safely anonymised’ information into personally-identifiable description of individuals The potential for criminal or terrorist attack is an obvious concern when data is left unprotected by error or ‘misconfiguration’ (the term used by Cariad to explain the cause of the problem described to them by the researchers) But the underlying issue remains: many organisations collect personal user data for commercial gain and couch their intention to do so in legalese buried in rarely-read Terms and Conditions The only difference between a bad actor stumbling on an unprotected trove of sensitive information and anyone accessing personally-identifiable data legally is that in the latter scenario money changes hands in the largely unregulated market for consumer and commercial data Car manufacturers are no worse or better than those making and selling smart home or office appliances or any number of other desired necessities of life in 2025 Cariad, a subsidiary of Volkswagen’s automotive software reportedly left the sensitive data of 800,000 electric vehicles exposed in an unsecured Amazon cloud storage folder delved into the app she was required to download to use the remote functionality of her Volkswagen ID.3 She found that it was collecting precise geolocation data every time the car was turned off creating a detailed picture of where she had been The vulnerability was first discovered by a European ethical hacking organization CCC confirmed the issue on November 26 and notified Cariad giving the company 30 days to make the data inaccessible German publication Spiegel revealed that more than half of the vehicles (460,000) were sharing precise GPS data Most of the 800,000 affected models were located in Germany (300,000) Switzerland and Austria also being home to tens of thousands of affected electric vehicles Because Volkswagen is the parent company of other popular European brands SEAT and Skoda models were also reportedly affected Porsche and VW Group’s other subsidiaries were also affected Sign up to the TechRadar Pro newsletter to get all the top news features and guidance your business needs to succeed noting that Volkswagen is already lagging behind rivals in the software space As the boundaries between tech and cars draw ever nearer customers and researchers are rightly raising more and more security concerns Craig HaleWith several years’ experience freelancing in tech and automotive circles Craig’s specific interests lie in technology that is designed to better our lives He is also passionate about cars and the decarbonisation of personal transportation you can be sure that any deal Craig finds is top value Volkswagen data breach raises important questions about how much information carmakers are collecting When Nadja Weippert began operating her brand-new VW ID.3 last September she immediately downloaded the Volkswagen app see the battery level and check the remaining range The app is necessary to take advantage of all of the car’s amenities German politician Nadja Weippert: "I am shocked." The 41-year-old likely took a closer look at the app’s data protection provisions than many others she isn’t just a Green Party member of the Lower Saxony state parliament she is also her group’s spokesperson for data protection issues The article you are reading originally appeared in German in issue 1/2025 (December 28th her car apparently began collecting data and transferring it to the automaker including the precise GPS coordinates of wherever she parked – every time the engine was turned off The result was a dataset that could easily be used to produce a precise movement profile of her day-to-day life the information presented in this graphic is purely fictional produced on the basis of original data for the purposes of this illustration The politician’s car was often parked in front of the Tostedt townhall and the Lower Saxony parliament building but the data could also be used to identify her sports club her favorite bakery and the practice of her physiotherapist – in addition to the details of her two-day trip to Oldenburg for her party’s state conference German parliamentarian Markus Grübel: "Infuriating and embarrassing" a member of federal parliament for the Christian Democrats from Esslingen am Neckar He entered the screenname "Kussi” into the app His car was occasionally parked in front of the retirement home where his elderly father lives a function of him being a member of the Bundestag’s Defense Committee He was a state secretary in the Defense Ministry until 2018 A brief vacation in the Allgäu region last spring is also reflected in his car’s data None of this information should be publicly available Several terabytes of largely unprotected data from around 800,000 electric vehicles was accessible in an Amazon cloud service for several months elsewhere in Europe and in other parts of the world were affected Much of the vehicle data can be linked to the names and contact information of drivers Precise location data was viewable for 460,000 vehicles providing hints about the lives of their owners – such as the two politicians And it all came about because the VW subsidiary Cariad a company employing thousands of software developers and originally established to build a pioneering platform for all of the company’s electric vehicles made a mistake last summer – and never noticed It is more than just an embarrassing misstep for a company already facing significant headwinds A devastating gaffe with the company’s software an area where VW is already far behind the competition – and one that involves the security of private data which Germany likes to regard as a national advantage relative to the much laxer regulations in the U.S An informant shared the serious data breach with the Chaos Computer Club and DER SPIEGEL Nadja Weippert and Markus Grübel both gave their permission for reporters to take a closer look at the datasets of their cars "I am shocked,” said Weippert when DER SPIEGEL presented her with her location data from the past several months she has on occasion been the target of animosity and threats "It is unacceptable that my data is stored unencrypted in the Amazon cloud free of adequate protections,” she says to collect less data overall and to absolutely anonymize what they do collect.” Grübel also finds the data breach to be "infuriating and embarrassing,” adding that it doesn’t exactly boost confidence in the German automobile industry "Particularly with regard to autonomous driving and the possibility of manipulative cyberattacks on that technology manufacturer IT expertise clearly still needs to be improved significantly.” DER SPIEGEL reporting has found that other victims include additional politicians suspected intelligence agents and even the Hamburg police which has around 35 electric vehicles in its fleet Very few of them are likely to suspect just how transparent their automobiles have made them including owners of the VW models ID.3 and ID.4 it can be seen when they were switched on and precisely when and where they were switched off The VW ID.3 sends location information accurate to 10 centimeters Criminals or spies could potentially use such data to create a detailed movement profile of the car owners it may be of interest to see whose cars are parked daily between 8 a.m near buildings belonging to the Bundesnachrichtendienst Or those which are driven regularly to the U.S One doesn’t even need to take the logical leaps of faith common in spy thrillers The data would make it easy for swindlers to compose credible phishing emails presenting themselves as representatives of Volkswagen suppliers or subsidiaries to access a customer’s credit card details or other payment information Blackmailers could target vehicle owners who regularly park in the lot of the Berlin bordello Artemis or at a prison or addiction center Stalkers or jealous ex-partners could have seen where and when someone spends the night Because movements of vehicles in Ukraine and Israel were also documented the data could even be of military interest – depending on whether a potential target was behind the wheel When the Chaos Computer Club (CCC) learned of the data breach contacted Cariad with information and technical details They also wrote to VW company headquarters the Lower Saxony commissioner for data protection the German Interior Ministry and other security agencies the CCC has been acting as an intermediary reporting IT security vulnerabilities to those responsible when such breaches are brought to its attention – with no financial interest and purely with the aim of increasing IT security in general The CCC gave the company 30 days to make the data inaccessible to unauthorized persons after which the club would inform and warn the public itself Cariad responded within just a few hours and didn’t even try to minimize the severity of the miscue The team responsible for security issues expressed its gratitude and asked for additional details "The technical team from Cariad responded quickly thoroughly and responsibly,” CCC spokesman Neumann says a DER SPIEGEL team made up of IT experts and journalists was able to examine the vulnerability Neither intelligence agencies nor snooping VW competitors criminals or even bored teenagers would have found it particularly difficult to access the trove of information Nothing special was necessary beyond a couple of freely available computer programs that are part of the standard toolbox for criminal hackers and IT professionals alike made it possible to find one’s way through Cariad internet sites and sub-sites with systematic guessing even if some of those sites might be invisible to normal users The approach makes pathways visible that lead directly to certain types of files the endings of which made it readily apparent that it could be of a sensitive nature One of these pathways basically led to a copy of the real-time memory dump of an internal Cariad application Such data should never be on the openly accessible internet or at least not without password protection Modern security programs and processes should be able to identify such a breach But because that wasn’t the case with Cariad attackers would have been able to simply download and open the memory dump It contained the easy-to-find access information to an Amazon cloud service The cloud service itself contained the data pertaining to the individual vehicles easily recognizable from the labels for battery levels the inspection status and the categories "engine on” and "engine off,” with the latter category also including the geo-coordinates of the vehicle when the electric engine was turned off this geodata was accurate down to 10 centimeters it was accurate only down to 10 kilometers Additional access data could be found elsewhere this time for a proprietary service from VW car owners could set up a personal profile on an app and link it to their vehicle This access data made it possible to view the VW database of all registered users – and to link the users with the first set of automobile data detailed movement profiles could be matched up with specific individuals Linus Neumann of the CCC compared it to "a gigantic keychain hidden beneath a tiny welcome mat.” But why does Cariad collect all this data in the first place In response to an inquiry from DER SPIEGEL the company said that "anonymized data pertaining to customer charging patterns and charging habits are used to improve batteries and battery software." Cariad insists that the company never matches up data "in a manner that conclusions can be drawn about individual people or movement profiles developed.” The company says that the IT experts who examined the data were only able to create such movement profiles through "the circumvention of numerous security mechanisms” requiring "a high degree of expert knowledge and significant time spent in addition to the combination of several datasets.” Instead of calling it a security breach the company prefers to speak of an "incorrect configuration.” The company hasn’t yet completed its analysis of the incident no one other than the CCC has accessed the systems and we have no indications of any misuse of data by third parties.” since no sensitive data like passwords or payment information was affected.” They can "freely decide whether they wish to use products and services that require the processing of personal data All vehicles with online functions offer the option to deactivate them at any time.” The incident goes far beyond just Cariad and VW Many modern cars contain a three-figure number of sensors and they collect a massive amount of data only the carmakers themselves know precisely what information is collected and how much Germany’s roadside assistance association for car-owners Renault and Mercedes found that the Mercedes B-Class vehicles communicates its current location back to Mercedes every two minutes Additional information reported includes the odometer reading tire pressure and number of seatbelts being used all of it information that can be used to draw conclusions about driving style The BMW i3 analyzed in the study transfers a number of datapoints each time it is turned off including detailed information regarding the battery in addition to the locations of the previous 16 charging stations used which promotes free software and is best known for its Firefox browser examined the data collection practices of 25 automakers in 2023 It’s stark conclusion: "Modern cars are a privacy nightmare.” all of the brands examined collect more data than necessary with 76 percent of them saying they were in a position to resell such data 68 percent of the brands studied have experienced hacks security incidents or data leaks in the last three years An "embarrassing track record,” the foundation notes VW is far from the only carmaker that has experienced security problems stemming from the flood of data demonstrated that it was able to break into user accounts of BMW employees and sellers at will and have a look at sales documents It also found its way into the Mercedes Benz company chat application The security breaches hackers found at KIA were even more serious: They were able to unlock vehicles from the South Korean carmaker from afar and even start their engines Curry and his team are "white-hat hackers,” who proceed in a similar fashion to CCC in the Cariad incident – they informed the companies involved and the problems were corrected the so-called "Jeep hack” has achieved almost legendary status two IT experts were able to remotely access the car’s electronics through the built-in radio module and could control the vehicle’s brakes The incident led to the recall of 1.4 million vehicles to receive a software update to protect from such attacks particularly since more and more actors are expressing interest in such data would like access it so they can offer plans that reward a defensive driving style Automakers are slowly losing their grip on the data a regional court in Cologne ruled that it was no longer permissible to prevent independent car repair shops from accessing data necessary to make repairs Unaffiliated mechanics had complained that some producers required them to purchase expensive licenses to access vehicle data and fault memory whose application will be mandatory from September 2025 Despite the lobbying efforts of carmakers to maintain control of the data Brussels has opted to give car owners more control over the information they generate manufacturers will be required to provide owners with simple and free access to their own data – thereby making their collection practices more transparent Interactive Element "What Location Data Divulges": [M] DER SPIEGEL; Photos: Paul Langrock