Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)

Volkswagen, Audi Notify 3.3 Million of Data Breach

Data Was Left Unsecured by Unidentified Marketing Services Company
Volkswagen, Audi Notify 3.3 Million of Data Breach
Photo: Pixabay

Volkswagen and its Audi subsidiary are notifying 3.3 million people in the U.S and Canada of a breach of personal information by a marketing services supplier.

See Also: OnDemand | Integrating Splunk and Panther for Real-Time Alerting and Custom Dashboarding

For most affected individuals, exposed data includes their name, mailing address, email address and phone numbers. The data may also include information about a vehicle that has been purchased, leased or inquired about, including vehicle identification numbers, makes, models, years, colors and trim packages, Volkswagen says in a Q&A. About 163,000 of the 3.3 million affected individuals are in Canada.

More sensitive data, however, was leaked for 90,000 individuals in the United States. Volkswagen says the driver's license numbers for most of those people were leaked. A smaller number within that group may have also had their birth dates, Social Security or social insurance numbers, account or loan numbers and tax identification numbers leaked, Volkswagen says.

Affected individuals are being notified by either email or postal mail. Free credit protection services are being offered for anyone whose driver's license number or other more sensitive data was exposed.

Data Left Unsecured

Volkswagen says the marketing services company that exposed the data - it did not identify the name of the company - had collected the data between 2014 and 2019. That company left the data unsecured for 21 months some time between August 2019 and ending last month.

The company says it was notified that an unauthorized third party had obtained the data on March 10. But it wasn't until May that it was able to identify the source of the data.

"We have been in contact with U.S. and Canadian law enforcement, as well as the appropriate regulators, and are working with third-party cybersecurity experts and the vendor involved to determine how this occurred," Volkswagen says.

Some individuals who have not bought a Volkswagen or an Audi may also be caught up in the breach.

Volkswagen says that "in a limited number of cases, an Audi or Volkswagen customer or interested buyer provided names and contact information for a relative or personal reference to an authorized dealer for purposes of seeking financing of some kind."

Some of these individuals' details have been exposed. "If you have not interacted with Audi, Volkswagen or an authorized dealer directly" - but receive a data breach notification saying your information was part of the incident - "you are likely someone who was included as a personal relative or personal reference."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.