Millions of Volkswagen customers affected by data breach

The incident stems from a vendor that left customer information unsecured

A data breach at the US subsidiary of the Volkswagen Group has affected 3.3 million customers after a vendor left unsecured data exposed on the internet.

Volkswagen Group of America, Inc. (VWGoA) is the North American subsidiary of the German Volkswagen Group that looks after Volkswagen, Audi, Bentley, Bugatti, and Lamborghini operations in the US and Canada. 

According to data breach notifications filed with the attorneys general of California and Maine, the company believed that the data was obtained when a vendor left electronic data unsecured at some point between August 2019 and May 2021.

According to a notification letter sent to customers, on March 10, the company was alerted that an unauthorized third party may have obtained certain customer information.

The letter read: “We immediately commenced an investigation to determine the nature and scope of this event.” The investigation confirmed the third party obtained limited personal information received from or about customers and interested buyers, from a vendor used by Audi, Volkswagen, and some authorized dealers in the United States and Canada. The letter didn’t state who the offending vendor was.

“This included information gathered for sales and marketing purposes from 2014 to 2019. We believe the data was obtained when the vendor left electronic data unsecured at some point between August 2019 and May 2021, when we identified the source of the incident,” the letter continued.

Related Resource

A guide to enterprise detection and response providers

The 12 providers that matter most and how they stack up

Forrester enterprise detection WPDownload now

Among the data exposed were customers’ first and last names, personal or business mailing addresses, email addresses, and phone numbers. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the vehicle identification number (VIN), make, model, year, color, and trim packages.

"The data also included more sensitive information relating to eligibility for a purchase, loan, or lease. More than 95% of the sensitive data included was driver’s license numbers. There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers,” the letter stated.

A letter from the company’s lawyers said that for the 90,000 customers who had more sensitive data exposed, the company would provide free credit protection services, $1 million of insurance, and assistance in the event of identity theft. 

VWGoA is now notifying affected customers of the breach and warning them to remain alert for suspicious emails or other communications. 

VWGoA is conducting a full security review with the vendor to identify if further security enhancements are reasonable and appropriate, according to the lawyers’ letter.

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Six ways boards can step up support for cyber security
Business strategy

Six ways boards can step up support for cyber security

22 Jul 2021