When it was revealed that Volkswagen had exposed the personal and movement data of hundreds of thousands of electric vehicle owners, the scale of the problem shocked both drivers and data privacy experts.
This wasn’t a case of outside hackers breaching a system. It was a failure from within. For months, detailed vehicle logs and personal contact details were left unprotected in a cloud storage system used by the VW Group. And it wasn’t spotted by Volkswagen. Instead, it was uncovered by ethical hackers who raised the alarm.
Here’s what we know so far about the VW data breach, how it happened, and what it means for drivers in the UK.
What exactly happened?
Volkswagen stored EV data in an Amazon Web Services (AWS) cloud platform as part of its connected car infrastructure. A technical error meant that this data, spanning several terabytes, was left publicly accessible for months.
Anyone who found the right link could view it. No passwords. No encryption. No warning signs.
The exposed data included information from across the Volkswagen Group’s electric range, including models from Audi, SEAT, Škoda and VW itself.
How did the breach come to light?
Volkswagen did not discover the breach itself. It was a whistleblower who tipped off the Chaos Computer Club (CCC), a respected collective of IT security specialists based in Germany.
CCC investigated, confirmed the vulnerability, and alerted Volkswagen and its software subsidiary Cariad. Only after this intervention was the data finally secured.
What kind of data was exposed?
The information stored in the open cloud system included:
- Names, mobile numbers and email addresses
- Home and business addresses
- Vehicle Identification Numbers (VINs)
- Logs showing exactly when and where EVs were switched on or off
- GPS coordinates accurate to within ten centimetres in some cases
This level of detail made it possible to build complete movement profiles for individual drivers, including where they live, work, shop and travel.
Why was Volkswagen collecting this data?
Volkswagen says it collected the information to improve its vehicle systems, particularly charging habits and software performance. It has claimed the data was pseudonymised internally, but the breach exposed it in a way that made it easy to re-identify individuals.
In fact, journalists working with the data were able to link specific names to specific locations with ease.
Could the data have been misused?
Volkswagen has said there’s no evidence the data was accessed by malicious actors. But cybersecurity experts disagree. Given how long the data was exposed, and how easy it was to access, there’s no way to know who might have seen or downloaded it.
What has Volkswagen said about the incident?
Volkswagen has acknowledged the breach and referred to it as a “misconfiguration.” Its software subsidiary, Cariad, has taken responsibility for the technical side of the error. The company says the issue has now been fixed and that it is conducting a full internal review.
However, for many drivers, particularly those whose personal movements were logged in precise detail, the reassurance has come too late.
Which vehicles were affected?
The breach affected electric vehicles from across the Volkswagen Group, including:
- Volkswagen ID.3 and ID.4
- Audi Q4 e-tron and e-tron GT
- SEAT Mii Electric
- Škoda Enyaq iV
The most detailed tracking data was linked to the Volkswagen and SEAT models.
Has Volkswagen offered compensation?
At the time of writing, Volkswagen has not offered direct compensation to affected drivers. However, a group legal claim is now underway in the UK to pursue compensation on behalf of those affected.
You may be eligible to join if your data was exposed, especially if you’ve received a data breach notification from VW or one of its brands.
What should I do if I think I’ve been affected?
- Review any data breach letters or notifications you’ve received
- Take steps to secure your accounts, especially your vehicle app, email and financial logins
- Use our quick eligibility checker to see if you qualify to join the claim
The Volkswagen data breach is a reminder that even the biggest companies can get data privacy badly wrong. In the age of connected vehicles, software failures can have real-life consequences – exposing not just digital identities, but physical ones too.
If you believe your data may have been exposed, it’s important to take action now to protect your information, and to hold companies to account when they fail to keep it safe.
