Breach Notification , Incident & Breach Response , Security Operations
Volkswagen, Audi Notify 3.3 Million of Data Breach
Data Was Left Unsecured by Unidentified Marketing Services CompanyVolkswagen and its Audi subsidiary are notifying 3.3 million people in the U.S and Canada of a breach of personal information by a marketing services supplier.
See Also: Continuous Attack Simulations: How to Identify Risk, Close Gaps, and Validate Your Security Controls
For most affected individuals, exposed data includes their name, mailing address, email address and phone numbers. The data may also include information about a vehicle that has been purchased, leased or inquired about, including vehicle identification numbers, makes, models, years, colors and trim packages, Volkswagen says in a Q&A. About 163,000 of the 3.3 million affected individuals are in Canada.
More sensitive data, however, was leaked for 90,000 individuals in the United States. Volkswagen says the driver's license numbers for most of those people were leaked. A smaller number within that group may have also had their birth dates, Social Security or social insurance numbers, account or loan numbers and tax identification numbers leaked, Volkswagen says.
Affected individuals are being notified by either email or postal mail. Free credit protection services are being offered for anyone whose driver's license number or other more sensitive data was exposed.
Data Left Unsecured
Volkswagen says the marketing services company that exposed the data - it did not identify the name of the company - had collected the data between 2014 and 2019. That company left the data unsecured for 21 months some time between August 2019 and ending last month.
The company says it was notified that an unauthorized third party had obtained the data on March 10. But it wasn't until May that it was able to identify the source of the data.
"We have been in contact with U.S. and Canadian law enforcement, as well as the appropriate regulators, and are working with third-party cybersecurity experts and the vendor involved to determine how this occurred," Volkswagen says.
Some individuals who have not bought a Volkswagen or an Audi may also be caught up in the breach.
Volkswagen says that "in a limited number of cases, an Audi or Volkswagen customer or interested buyer provided names and contact information for a relative or personal reference to an authorized dealer for purposes of seeking financing of some kind."
Some of these individuals' details have been exposed. "If you have not interacted with Audi, Volkswagen or an authorized dealer directly" - but receive a data breach notification saying your information was part of the incident - "you are likely someone who was included as a personal relative or personal reference."