3.3 million customers hit by VW data breach — what to do

Several Audi vehicles lined up at a dealership.
(Image credit: PAPA WOR/Shutterstock)

Updated June 18 with news that some of the stolen data appears to be on sale in a cybercrime marketplace.

Volkswagen Group of America announced today (June 11) that more than 3.3 million potential and actual Audi customers in the U.S. and Canada had personal data exposed. At least some data was taken without authorization.

"A third party obtained limited personal information" from an unnamed sales and marketing vendor, a letter sent to state attorneys general and obtained by TechCrunch said. Further investigation revealed that the vendor had "left electronic data unsecured at some point between August 2019 and May 2021."

The implication is that the unauthorized party got hold of only the least sensitive data, which would not normally raise red flags. But because of the highly sensitive nature of some of the other exposed data, Volkswagen is providing free identity-theft-protection for 900,000 affected persons.  

All of the data was collected for sales and marketing purposes between 2014 and 2019. The more than 3.3 million persons affected had some combination of first and last names, postal addresses, personal or business email addresses and phone numbers exposed — basically just contact info. 

The data also including vehicle information such as the models purchased, leased or inquired about and Vehicle Identification Numbers (VINs). 

However, 900,000 actual and prospective customers also had more sensitive information exposed that related to "eligibility for a purchase, loan or lease." For "over 95%" of those 900,000 people, Volkswagen of America said in its attorneys-general letter, that sensitive information consisted only of driver's-license numbers.

Potentially catastrophic consequences

But for the other 5% or so — as many as 45,000 people — dates of birth, account or loan numbers, tax identification numbers and U.S. Social Security numbers or Canadian Social Insurance Numbers were exposed.

If that data was indeed stolen during the nearly two-year window of exposure, the consequences for the affected individuals could be catastrophic. 

With the full name, street address, date of birth and Social Security number/Social Insurance Number for a resident of the U.S. or Canada, an identity thief can make pretty good headway in opening accounts, collecting benefits and obtaining identification documents or even employment in the victim's name.

Having a driver's-license number stolen is less severe, but it's often enough to get started with identity theft. New York State recently notified thousands of residents that fraudulent attempts had been made to collect unemployment benefits in their names as a result of driver's-license numbers being exposed on the website of the New York-based insurance company GEICO.

How to get VW's free identity-theft protection

As a result, Volkswagen of America is offering 2 years of IDX credit-monitoring and identity-theft-protection to the 900,000 people who had the most sensitive data exposed. Letters are being mailed out starting today (June 11) to all 3.3 million affected individuals, regardless of their levels of data exposure. 

The letters to the 900,000 more severely affected individuals will contain an enrollment code with which recipients can sign up for IDX identity protection at https://response.idx.us/audivwdataprotect or by calling (833) 406-2408 from 9 a.m. to 9 p.m. Eastern time Monday through Friday. The deadline to enroll is Sept. 11, 2021.

The letters will also include recommendations from IDX on other steps to take, including checking your credit reports and instituting fraud alerts with one of the Big Three credit-reporting agencies — Equifax, Experian or TransUnion — after activating IDX credit monitoring. 

You need to contact only one credit bureau to request a fraud alert, as that bureau will alert the other two. Credit alerts are free and last one year. You will be notified when any potential lender wants to see your credit file, and you will often be provided with a free copy of your credit report when the fraud alert is requested.

The IDX letter mentions, but does not explicitly recommend, the further step of instituting a credit freeze, which will bar any party from viewing your credit files unless you temporarily or permanently "unfreeze" your files. Credit freezes are also free but must be requested from each credit bureau individually. 

A credit freeze can also prevent you from getting additional credit easily, so it's best only if you know that your identity has been stolen or is at great risk of being stolen.

For more information about fraud alerts, credit freezes and how and whether to get them, visit our page on what to do if your Social Security number is stolen.

Update: Stolen VW data appears to be on sale online

The data stolen from Volkswagen Group of America appears to be up for sale in a cybercrime marketplace, reports Vice Motherboard

The data for sale includes names, email addresses, mailing addresses, telephone numbers and Vehicle Identification Numbers, Vice says the seller stated. However, the seller also told Vice that no Social Security numbers nor driver's license numbers were part of the data.

That seems to jibe with Volkswagen's hints that the hacker did not get hold of the most sensitive data.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

  • kep55
    Another company has been bit by a stupid decision to save a few pennies and put sensitive, proprietary, confidential and personal information in the worlds largest net. And anyone with any brains knows a net is just a bunch of holes connected with string. I have absolutely no sympathy for these fools.