Comment on the VW data breach: GDPR, show your teeth!
Volkswagen has made a first-class data mess. Philipp Steevens believes that the GDPR penalty for this should really rattle.
(Image: skovalsky/Shutterstock.com/heise online)
At the 38th Chaos Communication Congress, CCC security researchers revealed what may be the biggest data breach ever discovered. Via a subdomain query of the website of Cariad, IT service provider of the Volkswagen Group, an API endpoint was found on which a freely accessible data dump was located.
Inside was the main prize: access data to AWS. On top of this came client IDs and the corresponding secrets to the Volkswagen Group's identity service. This made it possible to extract 15 million data points on vehicles and over 600,000 pieces of data on VW customers, some of which included email, date of birth and address. And what's more: 9.5 TByte of event data, including geocoordinates – in the case of Seat and VW, accurate to the sixth decimal place, i.e. 10 centimeters.
Brothel visits can be reconstructed
Although, according to the CCC, the IT staff at Cariad reacted professionally after becoming aware of the incident, Volkswagen has already started the embarrassing wiggling out again: "For customers, there is 'no need for action, as no sensitive information such as passwords or payment data is affected'." VW is using a straw man here, because the information found is much more sensitive than login data and credit card numbers.
What data journalist Michael Kreil demonstrated at 38C3 using this data can only be described as frightening to catastrophic. Using the geodata of almost 470,000 vehicles, the CCC was able to reconstruct daily and weekly routines, uncover the identities of VW drivers' children and also trace juicy details such as visits to brothels -even when people took a VW cab, because after all, it has to leave somewhere. In addition to the driving behavior of police officers, the identities of secret service employees could also be reconstructed from the data. Please WHAT?
Data economy is not just an ornament
This incident is a prime example of why data economy should also be in the interests of the companies collecting the data, who can't get enough of their customers' data. If VW wants to improve its batteries, it needs charging statuses and distance traveled. Not also the vehicle coordinates and the exact times of charging. A one-off signal triggered by an app, which the application forgets after a short time, would also be sufficient to find a parked car.
There is no need to collect and store all of this data. The car manufacturer from Lower Saxony is not the only culprit: the Mozilla Foundation criticized the data collection behavior of 25 different car manufacturers back in 2023. Consequences must now follow.
Hopefully that will be expensive
In his presentation at 38C3, Michael Kreil particularly emphasized the violation of Article 9 GDPR: data may not be processed if it contains political opinions, religious or philosophical beliefs, trade union membership or data on a person's sex life or sexual orientation. All this information is contained in the geocoordinates of VW and Seat, which are accurate to 10 centimeters. Even if Cariad and VW say they have never merged the data, there can be no question of security in the processing. The reason: lack of pseudonymization or encryption of the data, which Article 32 of the GDPR requires at this point.
Videos by heise
This enormous negligence qualifies the financially ailing VW Group for a significantly high fine. Now the GDPR can and must finally show its teeth and prove that it is not a waste of paper to bully small companies that cannot afford or do not want to comply. It must hit the supposed flagship company with a bang and then sweep through the entire industry with a vengeance. After all, a breach of Article 9 GDPR can cost four percent of the previous year's turnover. The VW Group estimates this at 320 billion euros for 2024.
The 12.8 billion euros that will hopefully be due could certainly be invested in urgent problem areas such as education. For example, children, young people and trainees could learn directly at their schools how not to handle data – but also how to use their curiosity and simple tools to make big companies fall flat on their faces.
This commentary is the editorial of iX 2/2025, which will be published on January 24, 2025.
(pst)
