In late 2024, it emerged that Volkswagen had suffered a major data breach. One that exposed detailed personal and vehicle data from around 800,000 electric car owners worldwide.
What made this breach so alarming wasn’t just the scale. It was the nature of the data exposed. Movement records, home addresses, contact details – all stored unprotected in the cloud. For UK drivers affected, it’s vital to understand what this means and what to do next.
What kind of information was exposed in the VW data breach?
The breach, traced back to a misconfigured cloud system run by VW’s software arm Cariad, left vast volumes of sensitive data publicly accessible. This included:
- Full names, email addresses and phone numbers
- Residential addresses
- Vehicle Identification Numbers (VINs)
- Logs showing exact GPS coordinates of where and when EVs were switched on or off
- Routine movement profiles (commutes, weekend trips, etc.)
In some cases, location data was accurate to within 10 centimetres – far more precise than most consumer mapping tools.
What are the real-world risks?
This kind of information doesn’t just sit in a spreadsheet. It can be weaponised.
Social engineering and phishing
Scammers thrive on context. With leaked data like your name, location habits and car model, a phishing email could convincingly appear to be from your dealership, insurer or even VW itself, urging you to update payment details or verify ownership.
Identity theft
Even without financial data, the combination of your name, contact info and behavioural data can help criminals commit fraud, applying for credit, impersonating you, or hijacking online accounts.
Personal security threats
For some, the risks go beyond digital. The exposed data can be used to infer when a person is at home, on holiday, or visiting sensitive locations. In Germany, vehicles were tracked to military sites, addiction clinics and other private destinations. Stalkers or abusive ex-partners could potentially exploit this data to cause harm.
How could this happen?
Volkswagen has said the breach was caused by a “misconfiguration” of its cloud systems. But reporting revealed that data was left exposed and accessible without advanced hacking tools.
The files contained sensitive information like battery levels, inspection statuses and geolocation tags. In many cases, that data was also linked to identifiable users through VW’s own app system.
While Cariad responded quickly after being alerted, it’s unclear how many people may have accessed the data beforehand.
Four steps to protect yourself now
If you own an affected VW, Audi, SEAT or Škoda EV—especially an ID.3, ID.4 or Enyaq model—consider taking these steps:
1. Strengthen your digital defences
- Update passwords for your car’s mobile app, email and any related services
- Enable multi-factor authentication wherever possible
- Don’t reuse passwords across services
2. Be extra cautious with messages
- Look out for emails, texts or calls pretending to be from VW or your dealership
- Don’t click on suspicious links or share sensitive information
- If in doubt, contact the business directly through official channels
3. Monitor your identity and finances
- Check your credit report for any unusual activity
- Consider using a credit monitoring or fraud alert service
- Watch for any unrecognised charges or direct debit changes
4. Limit app data sharing where possible
- Review what your vehicle app is tracking and sharing
- Consider deactivating some connected services temporarily
Could I claim compensation?
Yes. If your data was exposed in this breach, you may be entitled to compensation. In fact, a group claim is now underway in the UK.
Check if you’re eligible
It takes just a few minutes to check your eligibility using our secure online tool. If you’re affected, we’ll connect you with legal experts who can support your claim from start to finish.
