After notifying customers of a breach spanning from August 2019 to May 2021, Volkswagen is now dealing with the potential sale of 3.3 million customer records that an attacker claims to have and is advertising on a hacking forum. The records allegedly include data for customers of Audi, Volkswagen, and dealers in North America. Most of the records pertain to potential sales leads, but the remaining information includes records of sales in the database. According to Bleeping Computer, the sales information includes the most information pertaining to “VINs, business numbers, information about the driver, and vehicle information.”
Large PII dumps such as this serve as a reminder to organizations that how data is handled is of the utmost importance. Because this database was created and used by a third-party vendor, policies about data handling may or may not have been enforced. As it pertains to privacy, using non-name identifiers can soften the blow if the information is leaked. Most importantly, assurance that proper controls are put into place when data is hosted in the cloud could have prevented the easy access of data. Organizations ought to consider and implement security tests and audits on a regular basis to document what systems pose a risk to organizations and, most importantly, their customers.