If you are a Volkswagen or Audi customer residing in the United States or Canada, you may be concerned to hear that the motoring company has had the data of more than 3.3 million customers exposed recently. VW confirmed the news a few days ago, noting that the exposed data is the result of a supplier leaving information freely accessible online when it should not have.
Perhaps most concerning is the length for which the data was left exposed, with it left unprotected from prying eyes for almost two years between August 2019 to May 2021, a letter being circulated to customers (PDF) notes.
Volkswagen adds that the data in question spans five years between 2014 and 2019, along with it including information such as customer names, addresses, emails and phone numbers. On top of this, as many as 90 000 potential customers who made loan applications may have had more sensitive data exposed, which includes their driver’s license numbers, date of birth and social security (ID) numbers.
While it is unclear whether any people with nefarious motives were able to access the data, the fact that it was left unprotected for almost two years does little to inspire confidence otherwise. It therefore remains to be seen if Volkswagen and Audi (as a subsidiary) will need to take further action.
“We have also informed the appropriate authorities, including law enforcement and regulators, and are working with external cybersecurity experts and the vendor to assess and respond to this situation,” a spokesperson for the carmaker told TechCrunch in a statement.
With the driver’s license and social security numbers being highly valued by hackers, along with proving potentially problematic when paired less sensitive data like phone numbers and addresses, it leaves Volkswagen customers particularly vulnerable.
To address this, the company says that it has partnered with partnered with consumer privacy firm IDX to provide customers with free credit protection services should anything more significant occur as a result of the exposed data.
Regardless of what happens, it goes to show that even when information is shared voluntarily, there is no guarantee that it will remain out of the wrong hands or left free for them to access.