Data Left Unsecured for Two Years
In a letter to the victims sent on June 11, Volkswagen wrote that on March 10, the company was drawn to the fact that unauthorized persons may have gained access to certain customer information. The automaker immediately launched an investigation into the nature and extent of the data breach. It revealed that an unknown person had obtained “limited personal information” from Volkswagen and Audi customers in the US and Canada. A supply chain partner collected customer data for sales and marketing purposes between 2014 and 2019. This data was stored unsecured on the internet from August 2019 to May 2021, when Volkswagen identified the source of the incident. As a result, personal information of more than 3.3 million customers ended up on the street.
What Type of Information Was Stolen?
The data included first and last names, postal addresses, email addresses, telephone numbers and extensive details about people’s vehicles, like the Vehicle Identification Number (VIN), model, year, color and accessories package. 95% of the victims also had their driver’s license numbers stolen, which makes it easier for scammers to attempt identity theft. The perpetrators also obtained highly sensitive information of approximately 90,000 US and Canadian customers. This data package included financial data provided by customers to determine whether they were eligible for a loan or lease plan. A very small number also had their dates of birth, tax identification number, social security or social insurance number stolen. Nearly all of the people affected were current and potential Audi customers living in the US. So far, it seems that only a small number of Canadian customers have been affected.
Free Identity Protection Services
The car manufacturer is taking the incident very seriously and has informed law enforcement and appropriate regulators. Further, they have engaged external cybersecurity experts to investigate and respond to the cybersecurity incident. Volkswagen also took steps to address the matter with the vendor. Moreover, Volkswagen has offered customers free credit protection services. The company has taken out insurance for this. The insurer, IDX, covers and compensates damages of up to 1 million dollars. Furthermore, they provide fully managed identity theft recovery services should this crime occur. The deadline to enrol for this service is 11 September 2021.
Look Out for Phishing Scams
Finally, Volkswagen has warned its customers to look out for spam and phishing emails. And to be cautious when opening links or attachments from unsolicited third parties. This is because cybercriminals may try to approach specific customers and steal additional information. Unsolicited emails that contain attachments or suspicious URLs can also offload computer viruses, trojans, keyloggers or other types of malware. The identity and motives of the hacker or hackers are not yet known. So far, there are no indications that any of the stolen data has been dumped. It is also not up for sale on, for example, on the dark web.