WASHINGTON — Volkswagen Group’s U.S. unit said a data breach at a vendor impacted more than 3.3 million customers and prospective buyers in North America.
Nearly all those impacted were current or potential customers of Audi, one of the German automaker’s luxury brands.
Volkswagen Group of America said on Friday an unauthorized third party obtained limited personal information about customers and interested buyers from a vendor that its Audi Volkswagen brands and some U.S. and Canadian dealers used for digital sales and marketing.
The information was gathered for sales and marketing between 2014 and 2019 and was in an electronic file the vendor left unsecured.
The company told regulators the vast majority of customers only had phone numbers and email addresses potentially impacted by the data breach. In some cases, data also includes information about a vehicle purchased, leased, or inquired about.
VW said 90,000 Audi customers and prospective buyers had sensitive data impacted relating to purchase or lease eligibility. VW said it will offer free credit protection services to those individuals.
The sensitive data was comprised of driver license numbers in more than 95 percent of cases. A small number of records included additional data like dates of birth, Social Security numbers and account numbers.
The automaker does not believe sensitive information is involved in Canada, where 163,000 customers were impacted.
More than 3.1 million people affected are in the U.S.
VW believes the data was obtained at some point between August 2019 and May of this year, when the automaker identified the source of the incident.
We recently discovered that an unauthorized third party obtained limited personal information received from or about customers and interested buyers from a vendor that Audi, Volkswagen and some authorized dealers in the United States and Canada use for digital sales and marketing activities. The information was gathered for these purposes between 2014 and 2019 and was in an electronic file that the vendor left unsecured.
We are notifying all affected individuals directly, regardless of whether we are required to do so by law, and will offer free credit protection services to approximately 90,000 individuals for whom sensitive information was involved.
We take data security very seriously and are committed to safeguarding personal information. We have also informed the appropriate authorities, including law enforcement and regulators, and are working with external cybersecurity experts and the vendor to assess and respond to this situation.
Based on our analysis to date, we believe that the vast majority of the information relates to Audi customers and interested buyers in the United States. At this time, the breakdown is as follows:
• Sensitive Information Relating to Eligibility for a Purchase, Loan, or Lease
o Information relating to approximately 90,000 Audi customers or interested buyers in the United States.
o This sensitive data was comprised of driver’s license numbers in more than 95% of cases. A very small number of records included additional data, such as dates of birth, Social Security numbers and account numbers.
o To our knowledge, no sensitive information (as described above) is involved in Canada.
• Contact Information Received from or about Customers or Interested Buyers
o Information relating to approximately 3.1 million Audi customers or interested buyers in the United States and approximately 163,000 in Canada.
o Information relating to approximately 3,300 Volkswagen customers and interested buyers in the United States.
o This information comprised data such as names, mailing addresses, email addresses or phone numbers and, in some cases, vehicle data such as VINs and vehicle features.
We regret any inconvenience this may cause our current or potential customers. As always, we recommend that individuals remain alert for suspicious emails or other communications that might ask them to provide information about themselves or their vehicle.