Volkswagen has revealed that information about 3.3 million customers and prospective buyers was exposed after a supplier left the data unsecured online, TechCrunch has reported. The automaker gathered the information for sales and marketing purposes and most of the exposed data included names, addresses, emails and phone numbers. However, around 90,000 individuals (related to potential purchase, loans and leases) in the US also had more sensitive data exposed. That included driver's license numbers and in a "small" number of cases, date of birth and social security numbers.
The automaker wrote in a customer letter that an unnamed vendor used by VW, Audi and authorized dealers left customer data from 2014-2019 exposed between August 2019 and May 2021. However, it didn't say whether the information had been used by scammers. "We have also informed the appropriate authorities, including law enforcement and regulators, and are working with external cybersecurity experts and the vendor to assess and respond to this situation," a spokesperson told TechCrunch.
Driver's license and social security numbers can be valuable to hackers, especially if combined with addresses, phone numbers and other data. After a recent insurance customer breach, Geico said that it believed fraudsters may have used stolen driver's license numbers to apply for unemployment benefits. In its letter, VW said that it has partnered with IDX to provide customers with free credit protection services, including monitoring, insurance reimbursement and identity theft recover services, "should that occur."
Update 6/14/2021 2:45 PM ET: Volkswagen has clarified that of the 90,000 individuals who had their driver's licenses and SSN's exposed, all were in the US and not also in Canada as the article originally stated. In addition, 95 percent of the sensitive data was driver's license information. That data related to potential purchases, loans or leases and not just loans as originally stated.