Security Experts:

Connect with us

Hi, what are you looking for?



Volkswagen America Discloses Data Breach Impacting 3.3 Million

Volkswagen Group of America this week revealed that approximately 3.3 million people might have been affected in a data breach that impacted both Audi of America and Volkswagen of America (together VWGoA).

Volkswagen Group of America this week revealed that approximately 3.3 million people might have been affected in a data breach that impacted both Audi of America and Volkswagen of America (together VWGoA).

The incident was discovered on March 10, 2021 and a law enforcement investigation was immediately launched into the matter, the auto conglomerate said.

The investigation revealed that a third party gained access to various information gathered between 2014 and 2019 and which was left exposed “at some point between August 2019 and May 2021,” when the source of the leak was identified.

“VWGoA discovered the information at issue included more sensitive personal information on or about May 24, 2021. VWGoA completed the analysis to identify which specific individuals were impacted on or about June 7, 2021,” the company said in a letter to the Maine Attorney General.

[ Related: Auto Insurance Giant GEICO Discloses Data Breach ]

As part of the incident, “limited personal information” on customers and interested buyers in the United States and Canada was accessed, VWGoA says. The data was leaked by a vendor that Audi, Volkswagen, and authorized dealers use.

The exposed data includes names, email and mailing addresses, and phone numbers. In some cases, information on the purchased or leased vehicles was also compromised, including Vehicle Identification Number (VIN), make, model, color, trim packages, and year.

More than 3.3 million individuals were impacted in the incident. According to VWGoA, for “over 97% of the individuals, the exposed information consists solely of contact and vehicle information relating to Audi customers and interested buyers.” 

For roughly 90,000 Audi customers, or individuals interested in making a purchase, the leaked data also includes information on eligibility for a purchase, loan, or lease. In most cases (over 95%), this includes driver’s license numbers.

“A very small number of records include data such as dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers,” VWGoA says.

The company is already informing the affected individuals of the data breach. A copy of the letter sent to customers and interested buyers was also filed with the Maine Attorney General’s office.

Related: Auto Insurance Giant GEICO Discloses Data Breach

Related: Oilfield Services Company Gyrodata Discloses Data Breach

Related: Shell Says Personal, Corporate Data Stolen in Accellion Security Incident

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.