Millions of Volkswagen customers may have had their details leaked online

Volkswagen Dealership
(Image credit: Martin Katler / Unsplash)

German automaker Volkswagen has announced that the information of more than 3.3m of its customers has been exposed online after one of its vendors failed to secure a collection of customer data.

In a notice of data breach obtained by TechCrunch, the company explained that the vendor in question is used by Volkswagen, its subsidiary Audi and authorized dealers throughout the US and Canada. 

The customer data, which spans from 2014 to 2019, was left unprotected online over the course of a two-year window from August 2019 until May 2021. While Volkswagen hasn't named the vendor responsible, it's likely the case that they exposed the data by leaving it in an unsecured database.

Based on the information in the data breach notice, an unauthorized third party first accessed the data in March after which point Volkswagen launched an investigation into the matter. However, the company is just informing customers regarding the situation now as in May, it was able to confirm that sensitive personal information was also included in the incident.

Exposed customer data

The exposed data, collected on customers for sales and marketing purposes, contains personal information about Volkswagen customers and prospective buyers including their names, addresses, emails and phone numbers.

However, over 90,000 of the company's customers in the US and Canada also had some of their sensitive data exposed including information related to their loan eligibility status. According to the data breach notification, most of the sensitive data was driver's license numbers though a small number of records also including customers' birth dates and Social Security numbers.

At this time, it's still unclear as to whether or not the exposed customer data has been misused by the unauthorized third party that was able to gain access to it.

Thankfully, Volkswagen has partnered with the consumer privacy platform IDX to provide customers whose data was exposed with identity theft protection  which includes two years of credit and CyberScan monitoring. We'll likely find out more regarding what happened once law enforcement finishes its investigation. 

Via TechCrunch

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.