The automotive industry is increasingly becoming a popular pick among threat actors. Because of its perceived vulnerabilities and dynamic trends, the automotive industry is no longer safe from the prying eyes of cybercriminals. The recent data breach at Volkswagen is no different. The cyber incident exposed the personal data of 800K EV customers!
The German car manufacturing giant experienced the unfortunate event of a data breach across multiple brands, including Audi, Seat, Skoda, and Volkswagen. What’s more concerning is the nature of the data that has been leaked. It consists of sensitive details, such as dates of birth, physical addresses, email addresses, names, etc., of 800,000 electronic vehicle owners.
The data also includes specific details such as charging status, warning light indicator data, battery temperature, odometer readings, etc. The worst part is that the data consists of sensitive geolocation data such as shopping habits, workplace locations, school drop-offs, law enforcement personnel residence addresses, and so on.
The security analyst at Chaos Computer Club- Flupke, shed light on significant lapses on Volkswagen’s part. There have been major blunders in data protection practices, such as violations of GDPR regulations and lapses in Volkswagen’s terms of service.
Volkswagen believes that the data breach is the result of a “complex, multilayered process.” On the other hand, Flupke claims that the breach was possible because of “weak token security.”
How did the breach happen?
It all started because of a misconfiguration of the Amazon cloud storage system. This was being managed by Cariad, their software subsidiary company. As per the reports by the German publication Speigel, Cariad’s ignorance led to this massive data breach. Reportedly, the group inadvertently kept the customer data accessible online for so long.
Chaos Computer Club (CCC), the ethical hacker organization in Europe, grabbed this opportunity. Flupke tested the insecure access before letting Volkswagen and Cariad know. He went ahead and used state-of-the-art coding tools to dig into Volkswagen’s systems.
On going deeper, he realized that an internal Java machine or JVM diagnostic tool was easily accessible without any kind of password protection. This further led to easy accessibility of AWS credentials, which, too, are in the form of plain text.
Flupke further explained that a JSON Web Token can be generated easily by leveraging random user IDs, thereby allowing attackers to pose as genuine users and gain access to personal data through Volkswagen’s API.
Aftermath of the data breach
Volkswagen is known for its over-possessiveness with customer data. This is not just the case for the German automobile giant. In fact, the entire automotive industry is criticized for its over-collection of data. Mozilla conducted a study for over 600 hours and concluded that automobile brands collect excessive data that they may not even require ever.
They also found that 86% of the vehicle makers sell out the data to not-so-well-regulated data brokers while claiming that this is not data trafficking as the data is anonymized! They are also not very transparent about the security and encryption process they follow.
Volkswagen is openly criticized because of its data retention around precise location details under the pretext of evaluating battery performance. This is totally non-compliant with GDPR as the latter clearly requires data minimization and encryption for personal and sensitive data.
Vehicle owners are often clueless about the humongous data trail they are leaving behind every time they take their cars out on the road.
Relevant authorities, such as Lower Saxony’s State Data Protection and the Federal Ministry of the Interior, have been informed by the Chaos Computer Club.
Cariad has taken immediate mitigational steps and fixed the vulnerabilities. Experts, however, are unhappy with Volkswagen’s irresponsible handling of sensitive customer data.
Automobile industry on the radar of cybercriminals
The automotive industry has been on the radar of threat actors for the past couple of decades. Ransomware attacks and data breaches hamper everyday operations, result in humongous losses, and make millions of customers vulnerable to cyberattacks.
In 2023, an insider leaked 100 GB worth of Tesla employee data on the Dark Web. The data included trade secrets, employee details, and customer information. The data breach highlights internal threats and focuses on the requirement of a centralized data management system to avoid any such mishap in the future.
Similarly, a ransomware attack crippled the services of around 15K car dealers across North America. This time, the victim was CDK Global, a renowned software provider for automotive dealership companies. Car dealers lost a whopping $944 million because of this cyberattack.
Cybersecurity has become an essential requirement across industries, including automotive, finance, and healthcare. These incidents serve as a stark reminder that robust cybersecurity measures are no longer optional but a critical necessity.
Every sector, whether private or public, must implement strong systems to defend against increasingly sophisticated threats posed by malicious actors. This includes deploying effective phishing protection to safeguard sensitive data and maintain operational integrity.