A data breach at a Volkswagen vendor has impacted millions of customers and prospective car purchasers across North America.
The breach occurred after information gathered by the vendor between 2014 and 2019 for sales and marketing purposes was stored electronically in an unsecured file for years.
The majority of the individuals whose data was compromised were potential buyers or current customers of luxury car brand Audi. The Volkswagen Group formed Audi in 1969 after it bought the Auto Union from rival Daimler-Benz.
On June 11, the American arm of the Volkswagen Group revealed that an unauthorized third party had obtained small amounts of personal data belonging to customers and prospects from a digital sales and marketing company used by its Audi Volkswagen brands. VW dealers based in Canada and the United States also used the services of the vendor.
VW identified the source of the incident in May this year but believes that the data could have been illegally accessed at any point between August 2019 and May 2021.
Information exposed in the security incident included phone numbers and email addresses, and in some cases details of vehicle leasing, purchases, and purchase inquiries.
Volkswagen said it will offer free credit protection services to the 90,000 Audi customers and interested potential buyers or leasers whose sensitive data was accessed in the data breach. Included in the sensitive data was driver license numbers, Social Security numbers, account or loan numbers, tax identification numbers, and dates of birth.
In a letter sent to customers, VW said: “We take the safeguarding of your information very seriously. We have informed the appropriate authorities, including law enforcement and regulators.
"We are working with external cybersecurity experts to assess and respond to this situation and have taken steps to address the matter with the vendor.”
The automaker warned those impacted by the breach to be on the lookout for phishing emails.
Automotive News reported that Audi of America president Daniel Weissland identified the vendor as Shift Digital, of Birmingham, Michigan, in an email sent Thursday. The news source claims that the vendor's identity has been verified by "two dealers with knowledge of the situation."