In December 2024, the Chaos Computer Club revealed that VW Group’s software unit Cariad exposed 9.5TB of sensitive data affecting 800,000 VW, Seat, Audi, and Skoda owners. The breach included personal information and location histories that, despite Cariad’s claims otherwise, were easily tied by researchers to individual customers.

VW’s goal in collecting these data — to analyze anonymized data for improving battery performance — was reasonable. However, their poorly architected mobile app platform collected and stored data without basic engineering and security safeguards, leading to this exposure.

While this manifested as a security breach, it’s fundamentally a business problem, not an IT failure.

Root Cause vs Proximate Cause

When a vehicle and its supporting apps—where proper engineering can mean life or death—cut corners, EPSD sees priorities favoring rushed features over sound architecture. The implementation failure is proximate, not root cause.

The true cause lies with VW Group and Cariad executive leadership.

A second unforced failure occurred when executives issued misleading public statements — even appearing to blame the victimized users for not opting out of app functionality that should have been secure. EPSD recommends the opposite approach, in which leaders acknowledge the problem, accept responsibility, and clearly state plans to make it right (there are several great resources on these topics here).

Making it Right

While hacks are inevitable and secure data systems are complex, high-performing engineering teams successfully protect sensitive data every day. The key fixes are organizational:

• Establish clear senior executive ownership through a named executive with global data authority and accountability
• Define a comprehensive global data governance strategy
• Allow engineering teams time to produce excellent work without shortcuts
• Implement proper architectural, engineering, and security review processes

Organizational Discipline

The solution requires no exotic measures—just integrity, recognition of data’s value, and executive oversight with clear authority and accountability. While not easy, the path is straightforward.

Sources

The breach was revealed in December 2024 by the CCC (presentation in English and German). and CCC cooperated on an article about it in the German news magazine Der Spiegel.