Data Breach Affects 3.3m Volkswagen, Audi Customers

Volkswagen’s US subsidiary said the personal data of more than 3.3 million North American Volkswagen and Audi customers was exposed after a third-party service provider left the information unsecured for nearly two years.

Volkswagen Group of America confirmed that the customer data was collected from 2014 to 2019. The breach was first reportedly disclosed in a letter to the Maine attorney general.

An unnamed service provider used by VW, its Audi subsidiary and dealers in the US and Canada left the information unsecured for nearly two years, from August 2019 to May 2021.

Sensitive data

The data, gathered for sales and marketing purposes, included personal information about customers and prospective buyers, including their name, postal and email addresses and phone numbers.

In the case of more than 90,000 customers in the US and Canada, however, the data also included more sensitive information relating to loan eligibility.

In more than 95 percent of cases this took the form of driver’s licence numbers, but a “small” number of records also included customers’ dates of birth and Social Security numbers.

The company is notifying all those affected, and said it would offer free credit protection services to those who had more sensitive details exposed.

Fraud

“We regret any inconvenience this may cause our current or potential customers,” VW said in a statement.

It said it had informed law enforcement and regulators and is working with the vendor and cybersecurity experts to respond to the situation.

Earlie this year insurance companies Metromile and Geico said their online quote forms had been hacked to obtain drivers’ licence numbers.

Other car insurance companies have also reported similar incidents. Geico said the scam was likely intended as part of an effort to file and cash fraudulent unemployment benefits.

Authorities say fraud activity has risen sharply during the pandemic.