Millions of Volkswagen customers affected by data breach

A data breach at the US subsidiary of the Volkswagen Group has affected 3.3 million customers after a vendor left unsecured data exposed on the internet.

Volkswagen Group of America, Inc. (VWGoA) is the North American subsidiary of the German Volkswagen Group that looks after Volkswagen, Audi, Bentley, Bugatti, and Lamborghini operations in the US and Canada.

According to data breach notifications filed with the attorneys general of California and Maine, the company believed that the data was obtained when a vendor left electronic data unsecured at some point between August 2019 and May 2021.

According to a notification letter sent to customers, on March 10, the company was alerted that an unauthorized third party may have obtained certain customer information.

The letter read: “We immediately commenced an investigation to determine the nature and scope of this event.” The investigation confirmed the third party obtained limited personal information received from or about customers and interested buyers, from a vendor used by Audi, Volkswagen, and some authorized dealers in the United States and Canada. The letter didn’t state who the offending vendor was.

“This included information gathered for sales and marketing purposes from 2014 to 2019. We believe the data was obtained when the vendor left electronic data unsecured at some point between August 2019 and May 2021, when we identified the source of the incident,” the letter continued.

Among the data exposed were customers’ first and last names, personal or business mailing addresses, email addresses, and phone numbers. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the vehicle identification number (VIN), make, model, year, color, and trim packages.

"The data also included more sensitive information relating to eligibility for a purchase, loan, or lease. More than 95% of the sensitive data included was driver’s license numbers. There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers,” the letter stated.

A letter from the company’s lawyers said that for the 90,000 customers who had more sensitive data exposed, the company would provide free credit protection services, $1 million of insurance, and assistance in the event of identity theft.

VWGoA is now notifying affected customers of the breach and warning them to remain alert for suspicious emails or other communications.

VWGoA is conducting a full security review with the vendor to identify if further security enhancements are reasonable and appropriate, according to the lawyers’ letter.