Data Leak at VW - Is This the Next Dieselgate?

Welcome to Issue #49 of The German Autopreneur!

First of all: Happy New Year! It's great to have you with me.

2024 ended on a disturbing note: VW admitted to the largest data leak in automotive history. Movement data from 800,000 vehicles was freely accessible online. Including GPS profiles of police, military, and intelligence services.

In today's story, we'll look at what happened, why it matters, and what it means for the industry.

Reading time: 5 minutes

🔓 The Largest Data Leak in Automotive History

Just when you think Volkswagen's scandal series couldn't get worse... it does.

SPIEGEL magazine discovered a massive security breach at VW. They investigated this issue with Chaos Computer Club (CCC). That’s Germany's largest white hat hacker organization.

A CCC expert said:

"German automakers spent years warning about government surveillance - now they're operating Europe's largest private data collection system themselves."

Here's what happened:

• Movement data from 800,000 European vehicles was unprotected in an Amazon AWS cloud

• For 460,000 vehicles, GPS data was accurate to within 10 centimeters

• Affected vehicles include VW, Audi, Seat, and Skoda models

• The worst: The data could be linked to specific individuals through email addresses, phone numbers and home addresses

Beyond private citizens, the leak exposed:

• Police vehicles

• Cars at Germany's intelligence headquarters (BND)

• Vehicles at the US military airbase in Ramstein

• Intelligence agency staff cars

VW's terms of service promise to limit GPS data accuracy. Reality? VW and Seat stored exact coordinates - violating their own data protection guidelines.

Even worse: EU data laws (GDPR) ban collecting sensitive information. Examples include data about political views or health conditions. Yet anyone could easily deduce these details from the movement profiles.

While Volkswagen claims they have "no evidence of data misuse," they can't possibly know who accessed the data. For months, anyone with basic hacking tools could retrieve this information.

So, How Could This Happen?

You'd think: After Dieselgate, VW would be extremely careful to avoid future mistakes.

They were.

VW built countless control mechanisms to prevent new scandals. But this excessive caution backfired - as a former developer at CARIAD (VW's software unit) describes on LinkedIn:

The core message: VW built so many controls that the system became paralyzed. A simple technical mistake had massive consequences. Anyone with basic hacking tools could access everything.

Some background on CARIAD: The unit was founded in 2019. Since then, VW invested around €13 billion. At its peak, 5,000 software developers worked there on one vision: Transform VW into a software-first company. But after multiple delayed car launches due to software problems, VW changed course. They now partner with tech companies instead: Xpeng in China and Rivian in the West.

The cost could be enormous. EU fines can reach 4% of annual revenue. Based on VW's 2023 revenue, that could mean up to €13 billion - plus lawsuit damages. Ironically, that's exactly what VW invested in CARIAD over the past years.

And timing couldn't be worse. VW just launched a massive cost-cutting program. They're reducing production in Germany and cutting thousands of jobs - largely due to falling sales in China.

What Can We Learn From This?

This once again proves how crucial software has become in automotive. One digital mistake can now threaten an entire company.

And also: More bureaucracy doesn't mean more security. Often, it causes the opposite.

But there's more... and this is probably most important:

German automakers spent decades building their reputation. Trust is perhaps their most valuable asset.

They've long positioned themselves as the trustworthy alternative to US and Chinese competitors. "Your data is safe with German brands" was a central selling point.

That advantage is now gone.

This trust crisis hits German automakers at their core. Without trust, they face a serious challenge: They currently can't match Chinese competitors on either technology or cost.

How serious is this crisis of confidence? In China, Audi recently launched a new sub-brand - without their iconic four rings logo. Why? Because many Chinese consumers no longer associate the brand positively.

This data leak shows a painful truth: In trying to prevent another Dieselgate, VW may have created something just as damaging. While the financial cost might be much less than Dieselgate, the loss of trust could prove even more expensive in the long run.

🔗 SPON | CCC | Hlib Radchenko | CSN | P. Raquel Bise | MM | Katja Diehl | AH | HB | TV | TC | BI

That's all for today.

Feel free to reply to this email with your thoughts.

Until next week,
— Philipp

PS: If you find value in this newsletter, please share it with someone who might benefit. Your support helps me continue my independent work for the automotive industry.

LinkedIn | About me | German Version