Volkswagen claims that more than 3.3 million customers have had their information exposed after one of its suppliers left an unsecured cache of customer data on the Internet.
The automaker said in a letter that the seller, used by Volkswagen, its Audi subsidiary and authorized dealers in the United States and Canada, left customer data covering the period 2014 to 2019 unprotected over a period of two years. between August 2019 and May 2021.
The data, which Volkswagen claims was collected for sales and marketing purposes, contained personal information about customers and potential buyers, including their names, mailing and email addresses, and telephone numbers.
But more than 90,000 customers in the United States and Canada also had more sensitive data exposed, including information relating to loan eligibility. The letter said most of the sensitive data was driver’s license numbers, but that a “small” number of records also included a customer’s date of birth and social security numbers.
Volkswagen did not name the seller and a company spokesperson did not immediately comment.
This is the latest security incident involving driver’s license numbers in recent months. Insurance giants Metromile and Geico admitted earlier this year that their quote forms had been abused by crooks trying to obtain driver’s license numbers. Several other auto insurance companies have also reported similar incidents involving the theft of driver’s license numbers. Geico said it was likely an effort by crooks to file and cash fraudulent unemployment benefits on behalf of another person.
Volkswagen’s letter, however, did not say whether the company had proof that the data exposed by the seller had been misused.