Skip to content
Data breachContained

Data leak at Volkswagen

A misconfigured Amazon cloud storage system run by Volkswagen software subsidiary Cariad exposed data on about 800,000 EV owners across VW, Audi, Seat and Skoda, including contact details and precise vehicle location data for roughly 466,000 cars.

Victim
Volkswagen
records
800.0K

On 27 December 2024, Volkswagen β€” Europe's largest carmaker β€” was revealed to have exposed sensitive data on roughly 800,000 electric-vehicle owners through a misconfigured cloud system operated by its software subsidiary, Cariad. The data sat unprotected on an Amazon cloud storage instance for months and spanned the VW, Audi, Seat and Skoda brands.

The exposure was not a hack but a configuration error: two Cariad IT applications left data publicly accessible. Germany's Chaos Computer Club (CCC), tipped off by an anonymous source, identified the flaw and notified Volkswagen on 26 November 2024 before going public around 30 December under a coordinated-disclosure window.

Exposed data included:

  • Owner and customer contact details
  • Vehicle movement and telemetry data
  • Precise geolocation data for about 466,000 vehicles, accurate enough to reconstruct drivers' daily routines (home, workplace and other visited locations)

Cariad closed the misconfiguration the day it was reported. Volkswagen stated that no passwords or payment data were involved, that accessing individual records required bypassing several security mechanisms, and that there was no evidence the exposed data had been accessed by malicious parties. The incident is considered contained.

Sources

  1. cybersecuritynews.comhttps://cybersecuritynews.com/volkswagen-data-breach/
  2. electrek.cohttps://electrek.co/2024/12/30/massive-data-leak-at-volkswagen-exposes-800000-ev-drivers/
  3. darkreading.comhttps://www.darkreading.com/cyberattacks-data-breaches/volkswagen-breach-exposes-data-of-800k-customers

Related incidents

Data breachContained

Data leak at La Quiberonnaise

In early April 2026, the French cannery La Quiberonnaise confirmed that unauthorized access to its systems exposed customer personal data β€” names, postal addresses, email addresses and phone numbers β€” with the company notifying affected clients by email and reporting the breach to the CNIL.

Victim
La Quiberonnaise
Data breachUnknown

Leak at France Ventilation

On 12 December 2025, France Ventilation, a French ventilation and air-treatment specialist, disclosed a data breach that exposed customers' payment card details β€” card number, expiration date and CVV β€” raising a direct risk of banking fraud.

Victim
France Ventilation