One of Volkswagen’s vendors left one of its systems open for nearly two years, exposing the personal data of 3.3 million customers – nearly all of them owners or wannabe owners of the automaker’s luxury brand of Audis – Volkswagen America said last week.
The breach took place between August 2019 and May 2021, Volkswagen said in a letter to the Maine Attorney General that was first spotted by TechCrunch reporter Zack Whittaker.
The car maker said that the data, mostly collected for sales and marketing, was exposed by a vendor used by Volkswagen, its Audi subsidiary and authorized dealers.
For upwards of 97 percent of the affected customers, the third party got access to personal information about customers and prospective buyers, including names, postal and email addresses, and phone numbers.
Other buyers or prospective buyers got hit harder, since they had more sensitive data – including Social Security numbers, dates of birth and driver’s license numbers – stored on the vendor’s leaky server, as Volkswagen explained in its letter:
For over 97% of the individuals, the exposed information consists solely of contact and vehicle information relating to Audi customers and interested buyers, including some or all of the following contact information: first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also includes information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages.
For approximately 90,000 Audi customers or interested buyers, the data also includes more sensitive information relating to eligibility for a purchase, loan, or lease. Nearly all of the more sensitive data (over 95%) consists of driver’s license numbers. A very small number of records include data such as dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers.
Why Did It Take Two Months to Secure that Server?
Volkswagen said that it first heard about the breach on March 10. The company didn’t explain why the leak continued up until last month as the unnamed vendor took two months to secure its server. It’s also unknown whether the data was downloaded by unauthorized third parties during the nearly two years it was left flapping open online. Threatpost has contacted Volkswagen for comment.
Any of Volkswagen’s customers or potential customers are at danger of fraud due to the breach. But customers who drive Audis are also susceptible to having their pricey rides ripped off: The 2021 Audi A4, for example, sets you back anywhere from $39,100 on up to $51,900.
Luxury cars are protected by deluxe anti-theft technology, but that technology can be foiled. This video shows thieves breaking into an Audi RS4 in just 90 seconds, by breaking the window and plugging a device — assumed to be a piece of equipment available online that’s used to silence alarms and program blank key fobs — into the dashboard.
But cybercrooks don’t have to resort to fancy gadgets to milk profits from car drivers. Instead, they can opt for less complex and sophisticated attacks, such as phishing or ransomware. They’ve learned that the data that automotive companies have to offer – from customer and employee personal identifiable information (PII) to financial data – is invaluable.
One example was when an attacker installed a keystroke logger on the workstation of a car dealership’s finance specialist, to obtain their credentials and access customer credit reports. Another launched a ransomware attack on Toyota Australia, leading to delays in servicing and disruption in the supply of parts.
Undeserved Trust Put in Unsecured Vendors
JupiterOne CISO Sounil Yu noted that the breach points to a problem with supply chains: Namely, “We put too much trust in them,” he said.
Yu pointed to President Biden’s recent Executive Order, pointing out that it’s heavy on the push to Zero Trust architecture, but that it’s “applied primarily to things, such as networks and endpoints.”
He suggested in an email to Threatpost on Monday that a Zero Trust approach be applied to suppliers as well, as opposed to the current practice of “sending vendors long questionnaires” and only occasionally asking for proof about their answers.
“We trust that those answers are correct and that the vendor is actually performing the security activities that they attested to,” he noted.
Dirk Schrader, global vice president at New Net Technologies, agreed: In an email to Threatpost on Monday, he called this breach “another cyber gaffe in the third-party supply chain.”
Unfortunately, while specialization is one of the main reasons for outsourcing to third parties, that specialization doesn’t necessarily include cybersecurity, he observed. “Whether this is due to lack of resources, of knowledge, financial incentive or because Volkswagen – being the reporting entity here – didn’t require certain standards and levels of protection in place is hard to say.”
Most likely it’s “a toxic mixture of everything,” Schrader said. “For the 3rd party, one lesson learned is an old one, ‘you’re never too benign, too small, too unknown’, attackers will find you,” he emphasized.
The fact that it took the vendor and Volkswagen such a long time to detect the breach is “telling” when it comes to lack of capabilities,” he said.
For what it’s worth, Schrader offered this interesting side note: “Volkswagen, being a German company, is also a member of the VDA (the German Association of the Automotive Industry). VDA has cyber security requirements in place for 3rd parties in this sector, addressing capabilities required.”
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!