3.3 Million Victims Struck by VW/Audi Breach

If you’re one of over 3 million VW or Audi fans in the U.S., check your mailbox and inbox for a notification letter from Volkswagen. The company learned a third-party provider recently suffered a data breach, putting the personally identifiable information (PII) of millions up for grabs. VW calls the incident a data breach, but how it really happened would make anyone’s engine overheat.

Volkswagen claims a marketing services provider with VW and Audi customer data left it on an unsecured server for anyone to find. The exposed data was collected between 2014 and 2019 and was left unprotected for 21 months. The time frame for the data exposure is from August 2019 until sometime this year. The company says even those who didn’t purchase a VW or Audi may also be affected by the breach. Some 170,000 victims live in Canada, but VW believes their sensitive PII wasn’t involved.

A Trail of Victim PII

For those affected, the unsecured PII for the majority of victims includes names, mailing, email addresses, and phone numbers. For about 90,000 other victims, driver license information, account or loan numbers, Social Security or social insurance numbers, and tax ID numbers were exposed. In the wrong hands, all the unsecured data could mean a plethora of cybercrimes are waiting to happen or have happened already.

VW is offering free credit protection for those who had their driver’s license number or other sensitive data exposed. Security experts say those victims should take advantage of the credit protection offer, immediately. In a statement by Volkswagen, the company says if you have received a breach notification but “…you have not interacted with Audi, Volkswagen or an authorized dealer directly…you are likely someone who was included as a personal relative or personal reference.”

Step Away from the Email

Other than taking advantage of VW’s credit protection offer, all victims should be on the lookout for potential cybercrimes involving their PII. Email phishing attacks are expected, and any email claiming to have breach information should be scrutinized as being fraudulent. Don’t act on any emails claiming to be from VW, especially those with attachments or links in the content. Should you have any suspicions, step away from the email and contact VW directly to verify if the email is from them. Lookup the real VW contact info yourself, and never use any information provided in the email as it could be a setup for further crimes.

While VW claims they’re continuing to investigate the data breach, the damage has already been done. Just ask one of the 3.3 million victims and they’ll likely tell you the same. Beep-beep.

Stickley on Security