Volkswagen and Audi have released a notice of a data security incident that took place between August 2019 and May 2021, involving a hacker who accessed parts of the corporate network of a contracted vendor, potentially exfiltrating the details of 3.3 million customers. The particular system belonged to a vendor used by Audi and Volkswagen, two automakers that belong to the same group, and the discovery of the compromise came only on May 10, 2021.
From that point until now, an internal investigation was underway to determine what exactly was accessed by the hackers. Unfortunately, it involves the information of 3.3 million customers and also prospective buyers. The data includes full names, email addresses, phone numbers, and postal addresses. Moreover, for 90,000 customers based in the U.S. and Canada, there is also information relating to loan eligibility. And for even a smaller subset, driver’s license numbers, dates of birth, and social security numbers are also included.
Volkswagen is already circulating notices of a breach to the affected individuals, so what exactly applies to each customer should be clarified in the personalized letters. If not, you can call (833) 406-2408 or chat with a customer support agent on the respective websites and ask for more information about how this incident affects you specifically.
In the meantime, you should remain vigilant against incoming emails, calls, or even letters arriving via post mail. Scammers and phishing actors have numerous ways to exploit the above information, and many of them will attempt to approach you posing as VW or Audi. Note that the real notifications of the data breach will not ask you to share any personal information or sensitive data of any kind and will not request you to verify your identity.
The vendor responsible for this data breach hasn’t been revealed by Volkswagen, who chose to keep this between them and the authorities. We would say that this detail doesn’t matter much at this point, and the main issue here is the duration of the compromise. After almost two years of maintaining a presence on the vendor's network, the actors may have already tricked several customers.
Back in August 2020, the Conti ransomware group hit a network of Volkswagen dealerships in Germany, stealing sensitive data in the process. Back then, the VW Group informed TechNadu that its own IT systems weren’t compromised directly as its dealerships operate as separate, independent entities. We don’t know if the two cases are somehow connected, but it seems unlikely that they are.