800,000 Volkswagen cars' location data has been leaked, and it has been ongoing for a few months

【PCauto】Due to a lapse by the software company Cariad, Volkswagen Group's 800,000 electric vehicle location data in Europe was leaked and publicly accessible on the internet for several months. The affected vehicles include brands like Volkswagen, Audi, SEAT, and Skoda, with specific models such as ID.3 and ID.4 having their owners' location data exposed.

The scope of this incident is much broader than anticipated. It not only involves the location data of ordinary users' vehicles, but also includes owners' identity information and travel patterns. More critically, the vulnerability also affected the whereabouts of German government officials and public safety systems.

It was revealed that the real-time location data of dozens of official cars of German politicians, as well as some police vehicles, were also leaked in this incident. It includes 35 electric vehicles in the Hamburg police station fleet, other politicians, business leaders, Bundesnachrichtendienst employees, and drivers from the US Air Force's Ramstein Air Base.

Using the data, people were able to precisely track the daily movements of two German politicians. One of them is a member of the German Defense Committee, and his car's location data revealed frequent visits to his father's nursing home as well as the country's military barracks.

The other politician's itinerary showed her daily route from the municipal hall where she works to her therapist.

The Federal Commissioner for Data Protection and Freedom of Information (BfdI) in Germany expressed serious concern about the incident and rapidly launched a joint investigation. Chairman Klaus Müller emphasized at a press conference:

"This leak not only poses a significant threat to citizens' privacy, but also exposes serious vulnerabilities in the technical security of public institutions. We need to conduct a comprehensive review of this matter to ensure that similar incidents do not happen again."

In its latest statement, Volkswagen Group acknowledged the severity of the data breach involving vehicles of government officials and law enforcement agencies, and stated that it has collaborated with relevant government departments to strengthen the protection and remediation of the affected data. The company has committed to providing technical support to help public security agencies quickly close the vulnerabilities and has also pledged to offer compensation to the affected individuals and organizations.

Technical analysis of the incident shows that this vulnerability originated from a major mistake made by Cariad in the design of the API. Although the initial intention of the technology was to provide efficient interconnection capabilities, the lack of strict security testing and monitoring during the development and deployment process allowed sensitive information to leak through unprotected channels.

In this incident, the hacker group Chaos Computer Club played a key role by notifying Cariad about the vulnerability.

Industry experts point out that this event not only exposed technical issues within automobile manufacturing companies but also highlighted gaps in the industry's management and compliance practices. European data protection authorities are pushing for a special review of the connected car sector and are calling for the establishment of stricter regulatory standards to ensure the security of connected technologies.