Interim CIO: Dr. Claus Michael Sattler

VW data scandal 2.0

Chaos Computer Club uncovers another massive data breach at Volkswagen

VW Datenskandal 2.0

Industry 4.0 completely misunderstood

The Chaos Computer Club (CCC) has uncovered a serious data scandal at Volkswagen, which can be described as VW data scandal 2.0. According to the CCC’s revelations, the Volkswagen Group systematically recorded movement data from hundreds of thousands of VW, Audi, Skoda and Seat vehicles and stored it over long periods of time [source: 1]. This movement data could be regarded as machine data, i.e. Industry 4.0 data. Particularly alarming is the fact that this sensitive data, including information about vehicle owners, was accessible on the internet without protection [source: 1].

Scope and impact of the VW data scandal 2.0

The VW data scandal 2.0 affects not only private individuals, but also fleet administrators, board members and supervisory board members of DAX companies as well as various police authorities in Europe [source: 1]. The collection of movement data from 35 electric patrol cars of the Hamburg police, which were stored on the VW platform for third parties to view, is particularly controversial [source: 1].

The information collected by the VW subsidiary Cariad includes precise details of the location and time when the ignition was switched off [source: 1]. This movement data is linked to other personal data, which allows conclusions to be drawn about suppliers, service providers, employees or even cover organizations of security authorities [source: 1].

Legal implications of the VW data scandal 2.0

As I am not a lawyer, I am not permitted to publish legal advice here. As a data protection officer trained in accordance with the Ulm model, I have come to the following conclusion: The VW data scandal 2.0 represents a significant breach of the German Federal Data Protection Act (BDSG) and the General Data Protection Regulation (GDPR). In accordance with the applicable data protection laws, the approximately 460,000 VW drivers affected now have the right to request information about their stored data.

Relevant paragraphs of the BDSG

  • § Section 34 BDSG: Right to information of the data subject
  • § Section 35 BDSG: Right to rectification or erasure of personal data and to restriction of processing
  • § Section 83 BDSG: Damages and compensation

Relevant articles of the GDPR

  • Art. 15 GDPR: Right to information of the data subject
  • Art. 16 GDPR: Right to rectification
  • Art. 17 GDPR: Right to erasure (“right to be forgotten”)
  • Art. 18 GDPR: Right to restriction of processing
  • Art. 82 GDPR: Liability and right to compensation

In accordance with the Federal Data Protection Act (BDSG):

Section 34 BDSG regulates the data subject’s right to information. Data subjects have the right to receive information about the personal data stored about them, its origin, the purpose of processing and the recipients.

In accordance with the General Data Protection Regulation (GDPR):

Article 15 GDPR describes the data subject’s right of access.
This right includes:

    • Confirmation as to whether personal data is being processed,
    • Information on the purposes of processing,
    • the categories of personal data,
    • the recipients to whom the data has been or will be disclosed,
    • the storage period or criteria for determining this period,
    • the existence of further rights (e.g. rectification, erasure, restriction of processing),
    • the right to lodge a complaint with a supervisory authority,
    • Information on the origin of the data if it was not collected from the data subject,
    • the existence of automated decision-making, including profiling.

Effects on the VW Group

The VW data scandal 2.0 could have far-reaching consequences for the Volkswagen Group. In addition to possible legal consequences and fines, there is the threat of considerable reputational damage. Customer confidence in data protection at VW is likely to be severely shaken.

Financial risks

Volkswagen could face high fines. According to Art. 83 GDPR, violations of data protection regulations can be punished with fines of up to 20 million euros or up to 4% of the total worldwide annual turnover of the previous financial year [source: 2].

Reputational damage

The VW data scandal 2.0 could cause lasting damage to the Group’s image. Customers could lose confidence in the brand, which could have a negative impact on sales figures and market share.

Legal consequences

Affected customers could assert claims for damages. There is also the potential threat of class action lawsuits that could keep the Group busy and financially burdened for years.

Role and responsibility of data protection officers at VW

In the context of the VW data scandal 2.0, the role of the data protection officer at Volkswagen is coming into focus. Their task is to monitor compliance with data protection regulations and act as a point of contact for data subjects and supervisory authorities.

Time required

The last point in particular is important. Just imagine if all 460,000 customers were to request information. Every single case would have to be processed in full and even if the data protection professionals at VW were extremely fast, in my experience they would need at least one day per case. So that would be 460,000 days = 2191 man-years, assuming the availability per employee is 210 days / year.

Failures and challenges

The VW data scandal 2.0 raises questions about the effectiveness of data protection measures at VW. Data protection officers are faced with the challenge of identifying the causes of the data breach and implementing measures to prevent similar incidents in the future.

Technical aspects of the VW data scandal 2.0

The VW data scandal 2.0 reveals serious technical deficiencies in the Group’s data security. The fact that sensitive data was accessible unprotected in an Amazon cloud storage system points to fundamental weaknesses in the IT infrastructure [source: 4].

Security gaps

The security vulnerability for which the VW software subsidiary Cariad was responsible enabled access to the location data of around 800,000 electric cars [source: 4]. The information was particularly detailed for owners of the VW ID.3 and ID.4 models [source: 4].

Necessary technical improvements

  1. Encryption of all sensitive data
  2. Implementation of robust access management
  3. Regular security audits and penetration tests
  4. Use of advanced intrusion detection systems

Historical context: Previous data protection breaches at VW

The current VW data scandal 2.0 is not the first incident of this kind at Volkswagen. Fines for data protection violations have already been imposed in the past.

Fine of 1.1 million euros in 2022

In July 2022, the State Commissioner for Data Protection of Lower Saxony imposed a fine of 1.1 million euros on Volkswagen [source: 5]. The reason was data protection violations in connection with research drives for a driver assistance system [source: 5].

Lessons from the past

The VW data scandal 2.0 shows that despite previous incidents and fines, data protection measures at Volkswagen have apparently not been sufficiently improved. This underlines the need for a fundamental overhaul of the Group’s data protection strategy.

Reactions and statements

Volkswagen

Volkswagen has responded to the CCC’s revelations and attempted to calm the situation. The company explained that access to the data was carried out “in a very complex, multi-stage process” [source: 1]. According to VW, the CCC was only able to access pseudonymized vehicle data that did not allow any conclusions to be drawn about individual persons [source: 1].

Chaos Computer Club

Linus Neumann, spokesman for the Chaos Computer Club, emphasized the seriousness of the incident: “The problem is that this data was collected in the first place and stored for such a long period of time. The fact that it was poorly protected on top of that just puts the icing on the cake.” [Source: 1]

Outlook and possible consequences

The VW data scandal 2.0 is likely to have far-reaching consequences for the Volkswagen Group and possibly for the entire automotive industry.

Regulatory tightening

It is to be expected that this incident will lead to stricter data protection regulations in the automotive industry. Legislators and supervisory authorities could issue stricter requirements for the handling of vehicle data.

Confidence-building measures

Volkswagen will need to make significant efforts to regain the trust of customers and the public. This could include introducing more transparent privacy practices and giving users greater control over their data.

Industry-wide effects

The VW data scandal 2.0 could serve as a wake-up call for the entire automotive industry. Other manufacturers will need to review and improve their own data protection practices to avoid similar incidents.

Conclusion

The VW data scandal 2.0 marks a turning point in the discussion about data protection in the automotive industry. It clearly shows the risks and challenges associated with the increasing digitalization and networking of vehicles. Volkswagen is now faced with the task of not only dealing with the immediate consequences of the scandal, but also developing long-term solutions that restore customer trust and prevent future data breaches.

The automotive industry as a whole must learn from this incident and take proactive measures to protect the privacy and security of vehicle users. This is the only way to maintain and strengthen trust in the digital transformation of mobility.

The VW data scandal 2.0 underlines the need for continuous review and improvement of data protection practices in an increasingly connected world. It should serve as a reminder that the protection of personal data is not only a legal obligation, but also an ethical responsibility and a crucial factor for long-term business success.

Sources

  1. https://www.adac.de/news/vw-datenleck/
  2. https://www.datenschutzticker.de/2022/08/millionenschweres-bussgeld-gegen-volkswagen-festgesetzt/
  3. https://www.vwgroupsupply.com/one-kbp-pub/de/kbp_public/rechtliches_4/privacy_policy/privacy_policy_1.html
  4. https://www.manager-magazin.de/unternehmen/autoindustrie/volkswagen-standortdaten-von-rund-800-000-elektroautos-oeffentlich-einsehbar-a-a6c5a310-1458-48e1-9666-2cb1e0b30463
  5. https://www.lfd.niedersachsen.de/startseite/infothek/presseinformationen/1-1-millionen-euro-bussgeld-gegen-volkswagen-213835.html
  6. https://www.volkswagen-automobile-berlin.de/datenschutz
  7. https://www.ccc.de/de/updates/2024/wir-wissen-wo-dein-auto-steht
  8. https://dataagenda.de/millionen-bussgeld-wegen-nicht-datenschutzkonformer-forschungsfahrten/
  9. https://www.heise.de/news/In-der-Cloud-abgelegt-Terabyte-an-Bewegungsdaten-von-VW-Elektroautos-gefunden-10220623.html
  10. https://www.wbs.legal/it-und-internet-recht/datenschutzrecht/vier-datenschutzverstoesse-vw-muss-millionenbussgeld-zahlen-61416/
  11. Image: ChatGPT
Dr. Claus Michael Sattler

P.O. Box 1142
28833 Weyhe
Germany

Phone: 0049 174 6031377

E-Mail: cms@sattlerinterim.com

www.sattler-interim.com - Logo mit weißem Hintergrund
Dr. Claus Michael Sattler - interim CIO
www.renate-sattler.com - linkedin-Logo
www-ihr-interim-cio-com-DDIM-Mitglied-Dr-Claus-Michael-Sattler
www.sattler-interim.com - DÖIM-Mitglied
TOP 100 INTERIM
www.sattler-interim.com - Renate H. Sattler
www.renate-sattler.com - linkedin-Logo
www-ihr-interim-cio-com-DDIM-Mitglied-Dr-Claus-Michael-Sattler
www.sattler-interim.com - DÖIM-Mitglied
www.sattler-interim.com - Logo von Renate H. Sattler-300x300
www.china-interim-managerin.com - China Consulting Partner
Post Views: 18