Volkswagen discloses data breach impacting 3.3 million Audi drivers

Volkswagen America said that a data breach at a third-party vendor it was using for sales and marketing purposes exposed the personal details of more than 3.3 million of its customers, most of which were Audi car owners.

The breach took place between August 2019 and May 2021, Volkswagen said in a letter to the Maine Attorney General, first spotted by TechCrunch reporter Zack Whittaker.

The company said the leak occurred because the vendor left one of its systems unsecured online.

Volkswagen learned of the leak on March 10, this year, however, it took the vendor another two months before it secured its server.

The incident did not impact all Volkswagen customers in the same way. For some sensitive information was exposed, while for others less personal details were stored on the leaky server. Volkswagen explained the breadth of the breach in its Main OAG letter:

For over 97% of the individuals, the exposed information consists solely of contact and vehicle information relating to Audi customers and interested buyers, including some or all of the following contact information: first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also includes information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages.

For approximately 90,000 Audi customers or interested buyers, the data also includes more sensitive information relating to eligibility for a purchase, loan, or lease. Nearly all of the more sensitive data (over 95%) consists of driver's license numbers. A very small number of records include data such as dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers.

The car vendor said the exposed data was gathered from US and Canadian customers between 2014 to 2019.

A Volkswagen Group of America spokesperson was not available for comment on Friday, the day after the company disclosed the breach.

It is currently unknown if the data might have been downloaded by unauthorized parties before it was secured or why the third-party vendor took two months to secure its server.

While most users face risks related to online fraud activity, owners of expensive Audi cars also face the risk of being targeted by professional car thieves if the leaked data ever falls into the wrong hands.