More than 3.3 million Volkswagen and Audi customers had their data exposed for more than two years, according to the German automaker. In a letter, which TechCrunch obtained and reported on Friday, VW notified Maine's attorney general of the security lapse. The data comes from individuals who did business with VW or Audi between 2014 and 2019, and the unsecured period lasted two years between 2019 and 2021.
Volkswagen confirmed the breach.
"We recently discovered that an unauthorized third party obtained limited personal information received from or about customers and interested buyers from a vendor that Audi, Volkswagen and some authorized dealers in the United States and Canada use for digital sales and marketing activities," a spokesperson said in a statement. "We regret any inconvenience this may cause our current or potential customers. As always, we recommend that individuals remain alert for suspicious emails or other communications that might ask them to provide information about themselves or their vehicle."
Most of the data, used for marketing purposes, included names, addresses, emails and phone numbers. However, the letter added, the vulnerability may have leaked 90,000 customers' more sensitive information used during loan eligibility procedures when buying a car. The information potentially exposed includes birth dates, driver's license numbers and a "very small" number of Social Security numbers, the company said.
"We are notifying all affected individuals directly, regardless of whether we are required to do so by law, and will offer free credit protection services to approximately 90,000 individuals for whom sensitive information was involved," the statement added.