Cyber Incident Victim: Volkswagen

On June 11, 2021, Volkswagen Group of America disclosed a data breach impacting approximately 3.3 million customers and prospective buyers across its Volkswagen and Audi brands in the United States and Canada. The incident involved unauthorized access to customer data managed by an undisclosed third-party vendor that provided marketing services to Volkswagen, Audi, and their dealership networks. Exposed information included basic contact details such as names, mailing addresses, email addresses, and phone numbers for the majority of affected individuals. A subset of records also contained vehicle identification numbers (VINs) associated with customer inquiries or purchases. The compromised data had been aggregated and stored by the vendor between 2014 and 2019 for marketing campaigns targeting potential and existing vehicle owners.

Volkswagen identified 90,000 U.S. residents—primarily linked to Audi transactions—whose highly sensitive personal information was exfiltrated, including driver's license numbers in most cases. A smaller subset of this group had additional compromised data points such as Social Security numbers, dates of birth, and account numbers associated with Audi or Volkswagen financial services. The company confirmed the breach originated from an unsecured electronic file maintained by the vendor, though no evidence suggested operational systems or dealership IT infrastructure were directly compromised. Volkswagen initiated direct notifications to severely impacted customers, offering complimentary credit monitoring services through a third-party provider. The automaker emphasized that individuals who merely inquired about vehicle purchases during the affected period were included in the breach dataset, though no evidence of misuse was confirmed at the time of disclosure. Public guidance urged vigilance against phishing attempts leveraging the exposed contact information.