Electric vehicle drivers’ details exposed: Lessons learned from the breach

A data breach at Cariad, a company that provides software for connected cars, left the personal data of electric vehicle (EV) drivers exposed for several months – including location data, contact details, and information about how people used their cars. 

The breach affected around 800,000 EV drivers, including German politicians, entrepreneurs, police departments, and potentially intelligence service members. The leak was caused by an unprotected and misconfigured Amazon cloud server. 

Here’s a detailed look at what happened and how connected car companies can avoid further such incidents in the future. 

What types of data were compromised?

In some cases, the breach exposed people’s precise location, accurate to a radius of 10cm. This level of precision would have allowed a bad actor to track the movements of EV drivers. In other cases, location data was accurate up to 10km, which could still provide insights into a person’s behavior and routine. 

Some contact details were also exposed, including names, email addresses, and sometimes home addresses. 

The breach also exposed certain data about how drivers used their cars, such as the car’s battery status and the times at which the engine was turned on and off. 

If these sorts of data were to be collated and analyzed, a bad actor could have created a detailed profile of a driver’s movements. However, the issue was reported and seemingly resolved before anyone was harmed. 

Cariad’s parent company Volkswagen emphasized that no payment information or passwords were involved in the incident. 

What went wrong?

The breach stemmed from a misconfiguration of Cariad’s cloud storage service, provided by Amazon Web Services (AWS). There is no evidence of hacking, malware, or other forms of cyberattack. 

It appears that the EV data was stored without adequate encryption or password protection, which left it vulnerable to unauthorized access for a period of several months. 

Security misconfigurations are a common cause of data breaches. A misconfiguration was behind the disastrous Capital One breach of 2019, in which an attacker exploited a misconfigured firewall, allowing them to access around 100 million credit applications stored in AWS. 

The vulnerability of EV drivers’ data was reported by an ethical hacker, seemingly before any serious damage was done. But in other instances, including the Capital One breach, bad actors have exploited the misconfiguration and exfiltrated personal data. 

Lessons learned from the breach 

Each new generation of connected cars offers new services, often requiring the collection of large volumes of increasingly detailed data. Connected car manufacturers and software providers must ensure such data is collected, used, and stored responsibly. 

The help avoid incidents like this, consider the following practices: 

• Transparency: Always ensure drivers understand what types of data you’re collecting and why. Provide concise “just-in-time” notices before collecting drivers’ data and a comprehensive privacy notice for those who want to know more. 
• Consent: Where appropriate or required, request consent before collecting drivers’ data. Where you plan to use the data for multiple purposes, you’ll usually need to obtain consent for each purpose separately. 
• Data minimization: The more data you collect, the harder it gets to secure the data. Make sure you apply the principle of “data minimization”: Only collect the minimum data necessary for a specific purpose. 
• Anonymization, encryption, and pseudonymization: Where possible, anonymize personal data so that it cannot be linked to an individual driver. Where anonymization is not feasible, use techniques such as encryption or pseudonymization to add an extra layer of security to your data. 
• Cloud security: Regularly check your security and server configuration settings to ensure personal data remains secure. Put in place monitoring tools to detect unauthorized access. 
• Audits and penetration testing: Put your security measures to the test by engaging auditors and penetration testers to seek out vulnerabilities. 
• Employee training: Data protection and security are everybody’s responsibility: Provide regular, mandatory training tailored to each of your company’s teams.