Why trust Greenbot
A data leak at Volkswagen’s software company exposed sensitive information from 800,000 electric vehicles, including driver locations and movement patterns across Europe, after months of unprotected cloud storage discovered in November 2024.
The German ethical hacking group Chaos Computer Club (CCC) first uncovered the leak on November 26 from a whistleblower, according to Spiegel. Linus Neumann, spokesperson for CCC, likened the breach to a giant keyring hidden under a too-small doormat.
The exposed data included GPS coordinates accurate to within 10 centimeters for many vehicles, allowing anyone to track where and when cars were parked. This affected various Volkswagen Group brands, including VW, Audi, Seat, and Skoda, with 300,000 vehicles in Germany alone.
The breach hit close to home for German politician Nadja Weippert. She discovered her own car’s movements were exposed after setting up the app. “I am shocked,” said Weippert, who drives a VW ID.3. “I [cannot believe] that my data is stored unencrypted in the Amazon cloud and then not even properly protected.” (Translation by Google Translate)
Security experts warn the leak could enable stalking, targeted scams, or even surveillance of government officials. Among the affected vehicles were 35 police cars in Hamburg and vehicles belonging to suspected intelligence service employees.
Cariad, Volkswagen’s software subsidiary, fixed the security flaw within hours after being notified. The company maintains there is no evidence that anyone besides CCC accessed the systems and claims no sensitive information like passwords or payment data was exposed.
However, researchers demonstrated they could easily link movement data to individual drivers through connected user profiles. This allowed them to see personal details like email addresses, phone numbers, and home addresses alongside detailed location histories.
The incident points to broader privacy concerns as cars become more connected. A recent Mozilla Foundation study found that 25 major car brands collect more data than needed. Most are even sharing or selling this information to third parties.
“I expect VW to collect less data and ensure complete anonymization in the future,” said Weippert, highlighting growing calls for stricter data protection in connected vehicles.
New European Union rules coming in 2025 will give car owners more control over their vehicle data. Until then, Volkswagen says customers can opt out of online features, though this may limit access to conveniences like remote car monitoring and battery charging status updates.
