Volkswagen, Audi Notify 3.3 Million of Data Breach

Volkswagen and its Audi subsidiary are notifying 3.3 million people in the U.S and Canada of a breach of personal information by a marketing services supplier.

See Also: Live Webinar: Seeking Success by Adopting a SASE Architecture: en el idioma Español

For most affected individuals, exposed data includes their name, mailing address, email address and phone numbers. The data may also include information about a vehicle that has been purchased, leased or inquired about, including vehicle identification numbers, makes, models, years, colors and trim packages, Volkswagen says in a Q&A. About 163,000 of the 3.3 million affected individuals are in Canada.

More sensitive data, however, was leaked for 90,000 individuals in the United States. Volkswagen says most of those people also saw their driver’s license numbers get leaked. A smaller number within that group may have also had their birth dates, Social Security or social insurance numbers, account or loan numbers and tax identification numbers leaked, Volkswagen says.

Affected individuals are being notified by either email or postal mail. Free credit protection services are being offered for anyone whose driver’s license or other more sensitive data was exposed.

Data Left Unsecured

Volkswagen says the marketing services company that exposed the data – it did not identify the name of the company – had collected the data between 2014 and 2019. That company left the data unsecured for 21 months, beginning in August 2019 and ending last month.

The company says it was notified that an unauthorized third party had obtained the data on March 10. But it wasn’t until May that it was able to identify the source of the data.

“We have been in contact with U.S. and Canadian law enforcement, as well as the appropriate regulators, and are working with third-party cybersecurity experts and the vendor involved to determine how this occurred,” Volkswagen says.

Some individuals who have neither bought a Volkswagen nor an Audi may also be caught up in the breach.

Volkswagen says that “in a limited number of cases, an Audi or Volkswagen customer or interested buyer provided names and contact information for a relative or personal reference to an authorized deal for purposes of seeking financing of some kind.”

Some of these individuals’ details have been exposed. “If you have not interacted with Audi, Volkswagen or an authorized dealer directly” – but receive a data breach notification saying your information was part of the incident “you are likely someone who was included as a personal relative or personal reference.”