The breach occurred due to improper configuration of cloud storage settings , which allowed unauthorized access to data, including:
detailed geolocation data (GPS),
information about the vehicle status,
and probably also the contact details of the vehicle owners.
This incident is another example of how mismanagement brother cell phone list of cloud environments can lead to serious breaches of privacy and data security. Of particular concern is the potential for the exposed information to be used to track or identify specific vehicle users.
This incident highlights the growing risks associated with storing data in cloud environments, especially when configuration errors or human oversights lead to the disclosure of significant amounts of data, leaving it vulnerable to cybercriminals.
Given Volkswagen’s significant role in the automotive industry and the growing importance of connected vehicle technology, this incident raises serious concerns regarding GDPR compliance, privacy protection and liability for breaches of data protection regulations .
German politicians "victims of the incident"
Nadja Weippert is a politician who serves as a member of the Landtag (regional parliament) of Lower Saxony and is also the mayor of the town of Tostedt, located between Hamburg and Bremen. She also serves as her party's data protection officer. Last year, after purchasing a new VW ID.3 electric car, she immediately installed the Volkswagen app, which allows users to remotely manage vehicle functions such as preheating the car, checking the battery charge status, and monitoring range.
However, after installing the app, the car began collecting detailed data on Weippert's daily location and movements. After turning off the engine, the car automatically transmitted GPS data containing information about the vehicle's exact location, allowing for a detailed picture of her daily routes, including places like Tostedt Town Hall, the Lower Saxony Landtag, her favorite sports club, and her physiotherapist's office.
This data was easily identifiable and trackable, posing a significant privacy risk for Weippert. She was shocked to learn that her location data was stored on Amazon's public cloud, accessible to unauthorized users. She expressed her dissatisfaction, demanding that Volkswagen stop collecting excessive amounts of data and implement appropriate privacy protection mechanisms, including data anonymization.
The second politician to fall victim to this incident was Markus Grübel, a German politician from the CDU party who serves as a member of the Bundestag and on the Defense Committee. In Grübel's case, his vehicle also transmitted detailed location data, including locations where he regularly parked—for example, in front of the nursing home where his elderly father lived, and in front of military buildings because of his role on the Defense Committee. As with Weippert, this data was easily linked to his identity and activities, posing a privacy risk.
Grübel, like Weippert, called the data leak scandalous and expressed his dissatisfaction, stating that the entire situation reinforces negative perceptions of the German automotive industry, especially in the context of the development of autonomous vehicles, which will be dependent on data collection. The politician emphasized the need to significantly improve data security standards in the automotive industry to prevent future leaks and manipulation.
Cariad says "misconfiguration"
Cariad, the company responsible for the incident, told SPIEGEL [1] that "pseudonymized data on customer charging behavior and habits" will be used to improve the batteries and their associated software. Cariad emphasizes that data within the group is never combined in a way that "would enable the identification of individuals or the creation of traffic profiles."
The company that compromised this data (Chaos Computer Club, hereinafter referred to as CCC) only managed to do so by "bypassing several security mechanisms," which "required a high degree of expertise and significant time, as well as by combining various data sets." Instead of calling it a security vulnerability, the company prefers to call it a "misconfiguration." An analysis of the incident indicated that "to our current knowledge, no one other than CCC had access to the systems, and we have no indication that any third parties misused the data."
Cariad explained: “There is no need for any action from customers as no confidential information, such as passwords or payment details, is compromised.”
Risks of storing data in the cloud
Cloud storage is becoming the standard, offering flexibility and scalability. However, as the Volkswagen case demonstrates, even a minor configuration error can result in the disclosure of vast amounts of personal data. Common causes of such incidents include:
lack of adequate access control,
storing data in unencrypted form,
lack of continuous monitoring and testing of the cloud environment,
inadequate assessment of service providers (e.g. AWS).
Despite its many advantages, storing data in the cloud poses significant security and privacy challenges. However, the risk of data leaks, unauthorized access, and configuration errors can be significantly reduced by taking appropriate precautions. Good practices include: data encryption at rest and in transit, access segmentation (the principle of least privilege), regular security audits, penetration testing, using trusted cloud providers compliant with international standards (e.g., ISO/IEC 27001), and real-time log and alert monitoring.
Under the GDPR, organizations storing data in the cloud have a number of obligations. These primarily include ensuring that data processing is carried out lawfully, fairly, and transparently towards data subjects. Data controllers must conclude appropriate processing agreements with cloud service providers and ensure that data is not transferred to third countries without appropriate safeguards. Implementing the principles of privacy by design and privacy by default—designing systems with privacy in mind from the outset and limiting data processing to the minimum necessary—is also crucial.
Incidents of this type have also occurred at other large entities, such as Alibaba and AT&T, demonstrating that the scale and reputation of a company do not automatically guarantee compliance with data protection rules.
Not an isolated case – other cloud incidents
This isn't an isolated incident – similar large-scale cloud data security incidents have occurred before. In July 2022, a misconfiguration of Alibaba's cloud database exposed the personal data of over a billion Chinese citizens. In January 2023, due to an error by an AT&T subcontractor [2] , the data of 109 million users – including call and text message history – became publicly available. These incidents clearly demonstrate the crucial importance of applying rigorous security measures when using cloud technologies. Even a seemingly minor lapse can lead to a massive data breach and serious consequences for companies and users.
GDPR Legal Implications – Could Volkswagen have done something wrong?
Under Regulation (EU) 2016/679 (GDPR), data controllers are required to comply with a number of requirements. In this case, Volkswagen may have violated at least the following obligations:
Lack of appropriate technical and organisational measures → Violation of Article 5(1)(f) and Article 32 of the GDPR, which stipulate the obligation to ensure the security of processed data.
Violation of the principle of data minimisation and purpose limitation → Volkswagen may have stored excessive personal data that were inappropriate for the purposes for which they were collected – violation of Article 5(1)(c) and (b) of the GDPR.
Lack of due diligence in assessing the risk associated with the data processor (AWS) → Possible violation of Article 28 of the GDPR regarding the selection and supervision of the data processor.
Failure to comply with the obligation to notify a breach → Pursuant to Articles 33 and 34 of the GDPR, a data security breach must be reported to the supervisory authority and to the data subjects within 72 hours.
Failure to apply the "privacy by design" principle → Article 25 of the GDPR obliges the controller to implement appropriate technical measures at the system design stage. An incorrectly configured cloud server constitutes a gross violation of this principle.
Other manufacturers also have IT security problems
VolksWagen is certainly not the only car manufacturer that has serious problems with the security of processed data:
In January 2023, a team led by then-23-year-old hacker Sam Curry from Omaha, Nebraska, demonstrated how it was possible to hack into any BMW user, employee or dealership account and review sales records.
The security flaws discovered by hackers at KIA proved even more serious: they managed to remotely unlock and even start the South Korean manufacturer's vehicles. Fortunately, Curry and his team were white-hat hackers who operated in the same manner as Chaos Computer Club did with Cariad: they informed the affected companies in advance, and the vulnerabilities were subsequently patched.