[BreachExchange] Vendor linked to VW data breach named in memo to dealers

Mon Jun 14 13:38:40 EDT 2021

https://www.autonews.com/technology/vendor-linked-vw-data-breach-named-memo-dealers

A memo to Volkswagen Group of America dealers obtained by Automotive News
identified a vendor involved in a data breach impacting more than 3.3
million customers and prospective buyers, primarily at Audi.

In the email sent Thursday, Audi of America President Daniel Weissland
identified the vendor as Shift Digital, which is “used by Audi, Volkswagen,
and some authorized dealers in the United States and Canada.” Two dealers
with knowledge of the situation verified the vendor’s identity with
Automotive News.

Multiple messages seeking comment were sent Friday to Shift Digital, of
Birmingham, Mich., but were not immediately returned. Spokespeople for the
Audi and Volkswagen brands declined further comment beyond a statement the
automaker released earlier in the day, which did not publicly name the
vendor.

The information, gathered for sales and marketing between 2014 and 2019,
was in an electronic file the vendor left unsecured, VW of America said in
its statement. According to Reuters, the automaker told regulators the vast
majority of customers had only phone numbers and email addresses
potentially compromised. In some cases, data also included information
about a vehicle purchased, leased or inquired about.

However, VW of America said, 90,000 Audi customers and prospective buyers
had sensitive data impacted relating to purchase or lease eligibility. The
automaker said it will offer free credit protection services to those
individuals. This data comprised driver’s license numbers in more than 95
percent of cases. A small number of records included additional data such
as dates of birth, Social Security numbers and account numbers.

In his email, Weissland said: “We believe the data was obtained when the
vendor left electronic data unsecured at some point between August 2019 and
May 2021, when we identified the source of the incident.” He also told
dealers that the breached information “does not affect all dealers, but
will affect most, if not all, dealers that use the Enterprise Lead
Management (ELM) program offered through Shift Digital.”

The automaker said it does not believe sensitive information is involved in
Canada, where 163,000 customers were impacted.

More than 3.1 million people affected are in the U.S. Reuters reported the
story earlier Friday.

VW STATEMENT

We recently discovered that an unauthorized third party obtained limited
personal information received from or about customers and interested buyers
from a vendor that Audi, Volkswagen and some authorized dealers in the
United States and Canada use for digital sales and marketing activities.
The information was gathered for these purposes between 2014 and 2019 and
was in an electronic file that the vendor left unsecured.

We are notifying all affected individuals directly, regardless of whether
we are required to do so by law, and will offer free credit protection
services to approximately 90,000 individuals for whom sensitive information
was involved.

We take data security very seriously and are committed to safeguarding
personal information. We have also informed the appropriate authorities,
including law enforcement and regulators, and are working with external
cybersecurity experts and the vendor to assess and respond to this
situation.

Based on our analysis to date, we believe that the vast majority of the
information relates to Audi customers and interested buyers in the United
States. At this time, the breakdown is as follows:

•    Sensitive Information Relating to Eligibility for a Purchase, Loan, or
Lease

o    Information relating to approximately 90,000 Audi customers or
interested buyers in the United States.
o    This sensitive data was comprised of driver’s license numbers in more
than 95% of cases. A very small number of records included additional data,
such as dates of birth, Social Security numbers and account numbers.
o    To our knowledge, no sensitive information (as described above) is
involved in Canada.

•     Contact Information Received from or about Customers or Interested
Buyers

o    Information relating to approximately 3.1 million Audi customers or
interested buyers in the United States and approximately 163,000 in Canada.
o    Information relating to approximately 3,300 Volkswagen customers and
interested buyers in the United States.
o    This information comprised data such as names, mailing addresses,
email addresses or phone numbers and, in some cases, vehicle data such as
VINs and vehicle features.

We regret any inconvenience this may cause our current or potential
customers. As always, we recommend that individuals remain alert for
suspicious emails or other communications that might ask them to provide
information about themselves or their vehicle.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210614/9677673b/attachment.html>