Millions of Volkswagen customers affected by data breach

The incident stems from a vendor that left customer information unsecured

A data breach at the US subsidiary of the Volkswagen Group has affected 3.3 million customers after a vendor left unsecured data exposed on the internet.

Volkswagen Group of America, Inc. (VWGoA) is the North American subsidiary of the German Volkswagen Group that looks after Volkswagen, Audi, Bentley, Bugatti, and Lamborghini operations in the US and Canada. 

According to data breach notifications filed with the attorneys general of California and Maine, the company believed that the data was obtained when a vendor left electronic data unsecured at some point between August 2019 and May 2021.

According to a notification letter sent to customers, on March 10, the company was alerted that an unauthorized third party may have obtained certain customer information.

The letter read: “We immediately commenced an investigation to determine the nature and scope of this event.” The investigation confirmed the third party obtained limited personal information received from or about customers and interested buyers, from a vendor used by Audi, Volkswagen, and some authorized dealers in the United States and Canada. The letter didn’t state who the offending vendor was.

“This included information gathered for sales and marketing purposes from 2014 to 2019. We believe the data was obtained when the vendor left electronic data unsecured at some point between August 2019 and May 2021, when we identified the source of the incident,” the letter continued.

Related Resource

A guide to enterprise detection and response providers

The 12 providers that matter most and how they stack up

Forrester enterprise detection WPDownload now

Among the data exposed were customers’ first and last names, personal or business mailing addresses, email addresses, and phone numbers. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the vehicle identification number (VIN), make, model, year, color, and trim packages.

"The data also included more sensitive information relating to eligibility for a purchase, loan, or lease. More than 95% of the sensitive data included was driver’s license numbers. There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers,” the letter stated.

A letter from the company’s lawyers said that for the 90,000 customers who had more sensitive data exposed, the company would provide free credit protection services, $1 million of insurance, and assistance in the event of identity theft. 

VWGoA is now notifying affected customers of the breach and warning them to remain alert for suspicious emails or other communications. 

VWGoA is conducting a full security review with the vendor to identify if further security enhancements are reasonable and appropriate, according to the lawyers’ letter.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

How to use machine learning and AI in cyber security
Security

How to use machine learning and AI in cyber security

30 Jul 2021
Chipotle’s marketing email hacked to send phishing emails
phishing

Chipotle’s marketing email hacked to send phishing emails

29 Jul 2021
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

29 Jul 2021
Colonial Pipeline hack spurred copycat attacks on other oil and gas companies
hacking

Colonial Pipeline hack spurred copycat attacks on other oil and gas companies

29 Jul 2021

Most Popular

Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
UK gun owners urged to be ‘vigilant’ after Guntrader data breach
data breaches

UK gun owners urged to be ‘vigilant’ after Guntrader data breach

23 Jul 2021