In a revelation via a letter to the Attorney General of Maine, automobile giant Volkswagen said that there has been a data breach with one of its third-party vendors. This breach was reported to have exposed the personal details of more than 3.3 million customers, most of whom were Audi owners. Volkswagen Group of America Inc., which includes Audi and Volkswagen America, claimed that they had confirmed the occurrence of the data breach in early May 2021, post-investigation. It was also revealed that 97% of the information exposed was the vehicle and contract information of Audi customers and interested buyers.
Contents of the Volkswagen letter
The letter was sent to the Attorney General of Maine on June 10th by Squire Patton Boggs LLP on behalf of Volkswagen America. The letter initially claimed that on March 10th 2021, Volkswagen was alerted about an unauthorized third-party who may have received specific customer information. It was later understood that Volkswagen was using this third-party vendor for marketing and sales activities. After a thorough investigation by law enforcement authorities, it was reported that a third party obtained limited personal information of the United States and Canadian customers and interested buyers from a vendor used by Volkswagen, Audi, and other authorized dealers for sales and marketing activities.
You may also like: EA: 780GB of data stolen in recent breach
It is believed that, at some point between August 2019 and May 2021, the vendor left the data unprotected. Volkswagen has also said, it later discovered that much more sensitive information such as the full name, emails, phone numbers, and even the Vehicle Identification Number (VIN), contract details, and driver license numbers in some instances. Adding to their misgivings, more sensitive information related to loan/lease information of approximately 90000 Audi customers have also been leaked.
As per the letter, in the state of Maine, the contact and vehicle information of 6,306 people was impacted by the breach and the more sensitive information of 131 people was affected. These numbers do have the possibility to either increase or decrease after further verification with the respective national databases. There is however no indication in the letter as to whether the information was misused in any way. Volkswagen has also refused to reveal the identity of the vendor when asked.
As per an article from TechCrunch, Volkswagen has hired a crisis communications firm to manage the situation. As per a spokesperson from the crisis communications firm:
“We have also informed the appropriate authorities, including law enforcement and regulators, and are working with external cybersecurity experts and the vendor to assess and respond to this situation,”via TechCrunch
According to the notice released by Volkswagen on June 11th 2021, the company has partnered with IDX which is the largest provider of data breach response services in the United States to provide redressal to all affected consumers. The services provided as a redressal mechanism include free credit protection and identity protection services. These services come with 24 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and also fully managed identity theft recovery services.
However, it is still unknown if the leaked data has been secured or has been downloaded by any unauthorized parties. It is also unclear as to why the third-party vendor, who initially caused the leak, took 2 months to secure its servers and why the breach went undetected for so long. With online frauds and other related activities being higher than ever, such sensitive data falling into the wrong hands can be dangerous for those affected.
Volkswagen has further stated that they are taking the matter of safeguarding customer information very seriously and have taken all necessary steps to prevent such an event with all of their vendors. They have also warned all customers to look out for any communications requesting personal information in the name of Volkswagen or any of its affiliates.