A misconfiguration in a cloud environment made data from hundreds of thousands of Volkswagen AG vehicles available online, multiple publications reported today.

The issue was brought to the attention of German newspaper Der Spiegel by a whistleblower. Researchers from Chaos Computer Club, a cybersecurity association, also played a role in uncovering the data leak.

The misconfigured cloud environment that contained the information is operated by a Volkswagen unit called Cariad. Formed in 2020, it develops software for the automaker’s vehicles as well as more than a half-dozen of its subsidiaries. The unit also designs hardware components such as sensors for driver assistance systems.

The misconfigured cloud environment, which Cariad hosted on Amazon Web Services, contained location data from about 800,000 electric vehicles. The dataset includes “precise” information about 460,000 of those vehicles. 

The most accurate location records were collected from certain cars that Volkswagen sells under its own brand and through its Seat subsidiary. According to Der Spiegel, those records were “accurate to within ten centimeters.” Meanwhile, the location data from Audi and Skoda models is accurate to within six miles.

In some cases, it’s reportedly possible to link the leaked records with the personal information of the affected vehicles’ owners. The researchers who analyzed the dataset managed to extract names and contact details, as well as monitor whether an electric vehicle is on or off. In one case, Der Spiegel determined the dataset made it possible to track the location of two German politicians.

The auto industry has several industry standards, such as ISO/SAE 21434, that outline how carmakers should go about securing their infrastructure. Those standards include a set of best practices that a company can adopt to reduce the risk of vulnerabilities finding their way into its systems.

As part of their breach prevention efforts, automakers are also increasingly equipping cars with cybersecurity hardware. The movement of data between a car’s subsystems is managed by a specialized chip that functions as a kind of network switch. In some vehicles, the switch includes a built-in firewall that filters malicious data traffic. 

The leaked Volkswagen dataset reportedly contained several terabytes’ worth of information that were accessible online for several months. In a statement, the automaker said that accessing the records required “bypassing several security mechanisms, which required a high level of expertise and a considerable investment of time.” That suggests hackers may not have managed to find a way of downloading the information before Volkswagen patched its cloud environment.

The automaker added that the dataset didn’t contain customers’ payment details or login credentials. 

Image: Volkswagen