Description: Audi has been identified as shipping vehicles (up to at least 2024) with outdated and vulnerable software components, such as **FreeImage**, which lacks active maintenance and contains well-documented security flaws. These vulnerabilities expose connected cars to potential **remote exploits**, **data breaches**, and **system takeovers** via compromised firmware or third-party APIs. The insecure software violates the intent of **UNECE R155** (cybersecurity type approval) but persists due to weak enforcement and a disconnect between regulatory compliance and practical implementation. Attackers could exploit these flaws to manipulate critical vehicle systems (e.g., brakes, steering via CAN bus), exfiltrate sensitive driver data (location history, behavior patterns stored in cloud systems), or deploy **over-the-air (OTA) malware updates** affecting entire fleets. The systemic neglect of security standards—despite legal frameworks like **GDPR** and **ISO/SAE 21434**—undermines consumer trust and leaves drivers exposed to **large-scale cyber-physical attacks**, including scenarios where vehicle control could be hijacked, endangering lives and organizational liability.

Description: The cybercriminal group **Qilin** executed a targeted attack on **Volkswagen Group France**, compromising approximately **150 GB of sensitive data**, including **2,000 files** containing **confidential customer, employee, and business operation details**. The stolen data includes **personal information of vehicle owners** (names, addresses, emails) and **detailed vehicle records** (model designations, chassis numbers, license plates). Six sample documents were leaked as proof. The attack underscores the automotive industry’s vulnerability to **large-scale data breaches**, with extortionists increasingly targeting manufacturers for high-value intellectual property and customer data. The incident follows similar attacks on **BMW and Jaguar Land Rover**, highlighting systemic risks in the sector.

Description: Volkswagen, a leading global automaker, fell victim to a ransomware attack by the group **8Base** in September 2024. The attackers claimed to have breached Volkswagen’s systems, exfiltrating confidential files—including **invoices, accounting records, employee files, contracts, certificates, and confidentiality agreements**—before threatening to leak them on their dark web site. While Volkswagen asserted its **core IT infrastructure remained unaffected**, the incident raised concerns about potential **third-party system compromises** and the broader scope of the breach. The attack employed **Phobos ransomware** and **double-extortion tactics**, heightening risks of data exposure and operational disruption. The leaked information, though not immediately publicized, included sensitive internal documents, posing reputational and financial threats. The limited transparency in Volkswagen’s response further fueled speculation about the attack’s true impact on supply chain dependencies and partner ecosystems.

Description: The Maine Office of the Attorney General reported a data breach involving Volkswagen Group of America, Inc. on June 10, 2021. The breach, which occurred on March 10, 2021, affected over 3.3 million individuals, with approximately 90,000 individuals having sensitive personal information compromised, including driver's license numbers. The breach resulted from a vendor leaving electronic data unsecured between August 2019 and May 2021.

Description: The customer data of Volkswagen Group of America was breached in a cyberattack in March 20221. An unauthorized third party gained access to their servers and stole the information like phone numbers and email addresses, vehicle purchased, leased, or inquired about. More than 3.3 million customers in U.S. and Canadia were affected by the attack.

Description: A carmaker's online dealership portal was found leaking private customer information and vehicle data, allowing unauthorized access to remotely control car functions. A researcher discovered a flaw enabling the creation of an administrator account, granting access to customer data, financial details, and real-time location tracking of vehicles. The vulnerability also permitted pairing vehicles with mobile accounts to unlock cars, posing significant risks of theft and privacy breaches. The automaker fixed the issue after a week of reporting.

Description: A severe vulnerability in the automaker's dealer portal allowed unauthorized attackers to register dealer accounts, escalate privileges to national administrator, and remotely control vehicles. The flaw, stemming from hidden registration forms and weak session token management, enabled attackers to transfer car ownership and send remote commands via the vehicle enrollment API. This exposed all vehicles from 2012 onward with telematics modules, posing significant risks to customer safety and data integrity. The automaker has since patched the issue with stricter token validation and role-based access controls.