Volkswagen says the information of more than 3.3 million customers was exposed after one of its vendors left a cache of unsecured customer data on the Internet.
The carmaker said in a letter that the vendor used by Volkswagen, its subsidiary Audi and authorized dealers in the US and Canada left unprotected customer data spanning 2014 to 2019 over a two-year window between August 2019 and May 2021 .
The data, which Volkswagen gathered for sales and marketing, contained personal information about customers and potential buyers, including their names, postal and email addresses, and phone numbers.
But more than 90,000 customers across the US and Canada also had more sensitive data, including information related to loan eligibility. The letter said most of the sensitive data was driver’s license numbers, but a “smaller” number of records also included customer dates of birth and Social Security numbers.
Volkswagen did not name the seller, and a company spokesperson did not immediately comment.
This is the latest security incident involving driver’s license numbers in recent months. Insurance giants Metromile and Geico admitted earlier this year that their quote forms were misused by scammers trying to obtain driver’s license numbers. Several other car insurance companies have also reported similar incidents related to theft of driving license numbers. Geico said it was probably an attempt by scammers to file and cash out fraudulent unemployment benefits in someone else’s name.
However, Volkswagen’s letter did not say whether the company had evidence that the data disclosed by the seller was misused.