Millions of Volkswagen customers affected by data breach

The incident stems from a vendor that left customer information unsecured

A data breach at the US subsidiary of the Volkswagen Group has affected 3.3 million customers after a vendor left unsecured data exposed on the internet.

Volkswagen Group of America, Inc. (VWGoA) is the North American subsidiary of the German Volkswagen Group that looks after Volkswagen, Audi, Bentley, Bugatti, and Lamborghini operations in the US and Canada. 

According to data breach notifications filed with the attorneys general of California and Maine, the company believed that the data was obtained when a vendor left electronic data unsecured at some point between August 2019 and May 2021.

According to a notification letter sent to customers, on March 10, the company was alerted that an unauthorized third party may have obtained certain customer information.

The letter read: “We immediately commenced an investigation to determine the nature and scope of this event.” The investigation confirmed the third party obtained limited personal information received from or about customers and interested buyers, from a vendor used by Audi, Volkswagen, and some authorized dealers in the United States and Canada. The letter didn’t state who the offending vendor was.

“This included information gathered for sales and marketing purposes from 2014 to 2019. We believe the data was obtained when the vendor left electronic data unsecured at some point between August 2019 and May 2021, when we identified the source of the incident,” the letter continued.

Related Resource

A guide to enterprise detection and response providers

The 12 providers that matter most and how they stack up

Forrester enterprise detection WPDownload now

Among the data exposed were customers’ first and last names, personal or business mailing addresses, email addresses, and phone numbers. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the vehicle identification number (VIN), make, model, year, color, and trim packages.

"The data also included more sensitive information relating to eligibility for a purchase, loan, or lease. More than 95% of the sensitive data included was driver’s license numbers. There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers,” the letter stated.

A letter from the company’s lawyers said that for the 90,000 customers who had more sensitive data exposed, the company would provide free credit protection services, $1 million of insurance, and assistance in the event of identity theft. 

VWGoA is now notifying affected customers of the breach and warning them to remain alert for suspicious emails or other communications. 

VWGoA is conducting a full security review with the vendor to identify if further security enhancements are reasonable and appropriate, according to the lawyers’ letter.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Acer Taiwan falls victim to cyber attack
hacking

Acer Taiwan falls victim to cyber attack

18 Oct 2021
Marsh McLennan reveals its cyber risk analytics center
risk management

Marsh McLennan reveals its cyber risk analytics center

15 Oct 2021
£100 contactless payment limit could place shoppers at risk, warn industry experts
Policy & legislation

£100 contactless payment limit could place shoppers at risk, warn industry experts

15 Oct 2021
Hackers used MSHTML exploit a week before patches were ready
zero-day exploit

Hackers used MSHTML exploit a week before patches were ready

14 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021