Volkswagen says vendor data breach exposed 3.3 million customers' information

Sensitive information of 90,000 customers, such as driver's license and Social Security numbers, was left unsecured for two years, the company says.

Sean Szymkowski
It all started with Gran Turismo. From those early PlayStation days, Sean was drawn to anything with four wheels. Prior to joining the Roadshow team, he was a freelance contributor for Motor Authority, The Car Connection and Green Car Reports. As for what's in the garage, Sean owns a 2016 Chevrolet SS, and yes, it has Holden badges.
Sean Szymkowski
2 min read
2021 Volkswagen ID4
Tim Stevens/Roadshow

More than 3.3 million Volkswagen and Audi customers had their data exposed for more than two years, according to the German automaker. In a letter, which TechCrunch obtained and reported on Friday, VW notified Maine's attorney general of the security lapse. The data comes from individuals who did business with VW or Audi between 2014 and 2019, and the unsecured period lasted two years between 2019 and 2021.

Volkswagen confirmed the breach. 

"We recently discovered that an unauthorized third party obtained limited personal information received from or about customers and interested buyers from a vendor that Audi, Volkswagen and some authorized dealers in the United States and Canada use for digital sales and marketing activities," a spokesperson said in a statement. "We regret any inconvenience this may cause our current or potential customers. As always, we recommend that individuals remain alert for suspicious emails or other communications that might ask them to provide information about themselves or their vehicle."

Most of the data, used for marketing purposes, included names, addresses, emails and phone numbers. However, the letter added, the vulnerability may have leaked 90,000 customers' more sensitive information used during loan eligibility procedures when buying a car. The information potentially exposed includes birth dates, driver's license numbers and a "very small" number of Social Security numbers, the company said.

"We are notifying all affected individuals directly, regardless of whether we are required to do so by law, and will offer free credit protection services to approximately 90,000 individuals for whom sensitive information was involved," the statement added.