Hello, News outlets are reporting a major data breach and leak at Volkswagen — and here’s what we know so far: The problem: Thanks to extensive data collection systems, your connected car knows everywhere you’ve been. And if you drive a Volkswagen, Audi, SEAT, or Škoda, a recent data breach means someone else might know, too. What’s been exposed: For months, the precise location data of approximately 800,000 electric cars was left vulnerable online. Worse, much of this data could be tied to the names and contact details of drivers, putting their privacy — and safety — at serious risk.1 How it happened: Several terabytes of this highly sensitive information were stored in an Amazon cloud database with minimal protection, making it easily accessible to... well, anyone. Who is impacted: Volkswagen, Audi, SEAT, and Škoda vehicles in Europe and beyond were affected, meaning drivers, their families, and anyone else who set foot in these cars have been compromised. How we know this: A whistleblower exposed this alarming vulnerability to the press, which emerged after a software update in mid-2024 and left the data exposed for several months. Volkswagen’s software team addressed and resolved the issue in late 2024.2 While this breach may be resolved, it underscores a far more troubling reality: car companies are brazenly collecting vast amounts of data about drivers — through a web of sensors, microphones, cameras, and the phones, apps, and other connected services in your car. In September 2023, Mozilla released a groundbreaking investigation exposing the intrusive data collection practices of car companies. After rating 25 car brands, we concluded automobiles are the worst product category we’ve ever reviewed for privacy.3 The Mozilla community has been pressuring car companies to respect your right to privacy. Will you add to this pressure by signing the petition to tell car companies to stop their huge data collection programs? Sign now → Since our investigation, car companies have been under immense pressure — from consumers, lawmakers, journalists, and our movement. And since then, we’ve had some wins: The U.S. Federal Trade Commission released a firm warning to car companies, saying it will act against illegal collection, use, or disclosure of personal data.4 The U.S. government launched an inquiry into connected cars’ privacy, due to national security concerns.5 General Motors has been banned from selling driver behavior data in the U.S. for five years.6 Toyota, Subaru, BMW, Tesla, and Ford said that all drivers in the U.S. now have the right (or will soon) to delete their personal data.7 EU lawmakers cited Mozilla’s research three times to flag inadequate driver privacy protections.8 Australia is also taking note, with the Privacy Commissioner launching an inquiry and acknowledging that the country’s privacy laws are ill-equipped to handle the invasive data practices of modern vehicles.9 Momentum is building toward achieving lasting and meaningful changes in how car companies handle our personal data, but there’s still a long way to go. Volkswagen’s data breach serves as a stark reminder of the risks posed by these massive data collection programs — and of the work still ahead to change the practices of car companies. Sign the petition and tell car companies to stop their huge data collection programs. Add your name → Thank you for everything that you do to protect privacy. Christian Bock
Head of Supporter Engagement
Mozilla More Information: 1. The Verge: Volkswagen leak exposed location data for 800,000 electric cars. 30 December 2024. 2. TechCrunch: Volkswagen leak exposed precise location data on thousands of vehicles across Europe for months. 30 December 2024. 3. Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy. 6 September 2023. 4. Federal Trade Commission (U.S.): Cars, Consumer Data, and Unlawful Collection & Use. 14 May 2024. 5. U.S. Department of Commerce: Citing National Security Concerns, Biden-Harris Administration Announces Measures. 29 February 2024. 6. New York Times: General Motors Is Banned From Selling Driving Behavior Data for 5 Years. 16 January 2025. 7. Mozilla Foundation: Car Company CEOs Answer Tough Questions About Cars and Privacy (Kinda). 30 April 2024. 8. European Parliament: Examples of lawmakers citing Mozilla’s research – Document E-9-2023-002684_EN, Document E-9-2023-002847_EN and Document E-9-2023-003142_EN. 9. Australian Financial Review: How Your Electric Car Is Watching Your Every Move. 5 May 2024. |
