Volkswagen has revealed a data breach impacting over 3.3 million customers.
The majority of impacted individuals are either current or prospective buyers for Audi vehicles. 163,000 individuals are in Canada, whereas the rest are in the United States.
On Friday, the automaker said that a compilation of data used for sales and marketing purposes between 2014 and 2019 was left unsecured and exposed online "at some point" between August 2019 and May 2021, although the exact timeline has not been established.
An associate vendor has been identified as the source of the breach but the company has not been named.
Audi and Volkswagen were alerted that "an unauthorized third party" may have accessed this information on March 10.
Volkswagen says that first and last names, personal and/or business mailing addresses, email addresses, and phone numbers may have been exposed in the breach, alongside information concerning "vehicle[s] purchased, leased, or inquired about," such as vehicle ID numbers, makes, models, years, and colors.
Volkswagen has informed relevant authorities and law enforcement of the data breach.
Reuters reports that regulators have been told that the majority of records only relate to phone numbers and email addresses, however, roughly 90,000 Audi customers and potential buyers in the US may have had purchase and lease eligibility data compromised, such as driving license numbers, dates of birth, Social Security numbers, account or loan numbers, and tax identification numbers.
Individuals whose sensitive data has been exposed will be offered free credit monitoring through an enrollment code.
The company says that anyone notified, but not offered this code, did not have information deemed sensitive compromised and so should stay alert for phishing emails or spam based on any of the basic data leaked.
Emails or letters may also be sent to those involved in the security incident who were not direct customers or prospective buyers.
"In a limited number of cases, an Audi or Volkswagen customer or interested buyer provided names and contact information for a relative or personal reference to an authorized dealer for purposes of seeking financing of some kind," notification partner IDX says.
Volkswagen says that external cybersecurity experts have been pulled in to investigate the incident.
"Audi and Volkswagen are working with third-party cybersecurity experts to assess and respond to this situation and have taken steps to address the matter with the vendor involved," the firms say.
A help hub has been set up by IDX for those who believe they have been impacted by the data breach.
Previous and related coverage
- Feds strike Slilpp, a marketplace for flogging initial access credentials
- This new hacking group has a nasty surprise for African, Middle East diplomats
- DOJ charges cybersecurity official for attack on Georgia hospital
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0