O Volkswagen Group revealed on Friday (11) a cybersecurity incident that resulted in the exposure and data theft of more than 3.3 million customers and potential customers of Volkswagen and Audi vehicles. The Volkswagen Group is a German conglomerate that sells vehicles under the Volkswagen, Audi, SEAT, Škoda, Bentley, Bugatti, Lamborghini, Porsche, Jetta, Ducati, Scania, Neoplan, Traton and MAN brands.
The attack was directed at IDX, Volkswagen-authorized credit monitoring service provider, which deals with Volkswagen and Audi customers and potential customers.
“On March 10, 2021, Audi and Volkswagen were alerted that an unauthorized third party may have obtained certain customer information. Audi and Volkswagen […] This included information collected for sales and marketing purposes from 2014 to 2019”, writes the IDX on a page created to ask questions about the incident.
The majority of compromised customers are US residents. Of the 3.3 million, only 163,000 are Canadian residents. According to the company, the data was stolen was collected by the company’s marketing department between 2014 and 2019 and was exposed on an unprotected server, which may have been accessed by cybercriminals between August 2019 and May 2021.
According to the company, most customers had data such as name; surname, personal and business address; compromised email address and phone number. However, 90 thousand customers also had data such as date of birth, number of tax documents, social security number and exposed bank information.
Volkswagen said it is getting in touch with affected customers, in addition to having already contacted legal authorities and is investigating the case. The company also said it had hired expert advice on cybersecurity.
“Audi and Volkswagen take data security very seriously. We’ve been in contact with the US and Canadian legal authorities as well as the appropriate regulators, and we’re working with third-party cybersecurity experts and the vendor involved to determine how this has occurred. Affected individuals are being notified directly,” writes IDX.
