Volkswagen has revealed that a vendor’s security oversight led to the exposure of data belonging to around 3.3 million customers and prospective buyers. The automaker said information was exposed after a supplier left the data unsecured online.
In a customer letter, Volkwagen said most of the exposed data included names, addresses, emails, and phone numbers. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages.
Around 90,000 potential loan clients in the U.S. and Canada also had more sensitive data exposed, including driver's license numbers. Volkswagen said date of birth and social security numbers were exposed in a "small" number of cases.
Data left unsecured for two years
The data exposed was collected between the years 2014-2019 and was left unprotected online between August 2019, and May 2021. The company didn't name the vendor responsible for the data exposure, nor did it say whether it knows if the data has been misused by scammers. Volkswagen said it has informed the appropriate authorities about the situation.
“We take the safeguarding of your information very seriously,” the company said. “We have informed the appropriate authorities, including law enforcement and regulators. We are working with external cybersecurity experts to assess and respond to this situation and have taken steps to address the matter with the vendor.”
VW said in the letter that it has partnered with IDX to provide customers with free credit protection services, including monitoring, insurance reimbursement, and identity theft recovery services if any issues arise.