Hackers Are Selling Data Stolen From Audi and Volkswagen (vice.com) 22
On Friday, Volkswagen disclosed a data breach that it said affected 3.3 million customers and interested buyers. On Monday, hackers put the data stolen from the car maker on sale on a notorious hacking forum. From a report: In the sales listing reviewed by Motherboard, a hacker that goes by 000 wrote that the data included email addresses and Vehicle Identification Numbers (VIN). The hacker also posted two samples of the data, which included full names, email addresses, mailing addresses, and phone numbers. The type of data seems to align with what Volkwagen admitted was stolen. In a website set up by a cybersecurity vendor on behalf of the car maker, Volkswagen said that "the majority" of affected data included: "first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color and trim packages."
But for 90,000 victims, the data also included "more sensitive information relating to eligibility for a purchase, loan, or lease. Nearly all of the more sensitive data (over 95%) consists of driver's license numbers," according to the company, which added that the majority of data pertains to Audi customers and interested buyers in the US and Canada only. The company also said it believes the data was left unsecured by a vendor. (Audi is owned by the Volkswagen Group.) "There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers," the website read.
But for 90,000 victims, the data also included "more sensitive information relating to eligibility for a purchase, loan, or lease. Nearly all of the more sensitive data (over 95%) consists of driver's license numbers," according to the company, which added that the majority of data pertains to Audi customers and interested buyers in the US and Canada only. The company also said it believes the data was left unsecured by a vendor. (Audi is owned by the Volkswagen Group.) "There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers," the website read.
Aren't Audi and Volkswagen the same company? (Score:2)
Re: (Score:1)
Different business units are usually managed separately.
Re: (Score:2)
realization.
volkswagon can not build cars.
i guess i should not be surprised that volkswagon is also thoughtless about company information
Re: (Score:2)
Indeed.
Volkswagen, Audi, SEAT, KODA, Bentley, Bugatti, Lamborghini, Porsche, Ducati, Volkswagen Commercial Vehicles, Scania and MAN.. it's all VW.
Only Rolls Royce is BMW.
this is why we need federal regulations (Score:3)
HIPAA regulations help ensure that the people you give your Personal Health Information to can't just send the data willy-nilly to anyone at all, that the people that have access to them must have a good reason for it, and that they have to take some basic precautions to protect the information.
PCI regulations help ensure similar things about credit card data.
But there's no regulation that specifically protects *other* sensitive information, like social security numbers and drivers' license numbers. If we had regulations covering those, businesses would be required to perform the most basic protections for this data, and not send them or keep them just anywhere.
A handful of states have enacted varying laws about what you can and can't do with a SSN. But they're not standard, and only protects a fraction of the country (and only businesses in those states). https://advocacy.consumerrepor... [consumerreports.org]
Meanwhile, the federal government knows this is a problem, but doesn't do much about it. In 2010, they created a law purely to stop printing SSNs on checks they issue, and to prevent prisoners from getting lists of SSNs. Well I guess that'll solve it... https://www.thebalance.com/soc... [thebalance.com]
Regulations are not foolproof. But I can tell you from personal experience that companies I have worked for only started giving a crap about credit card data, health data, and personal information, after federal regulations created penalties for their misuse.
Re: (Score:2)
But there's no regulation that specifically protects *other* sensitive information, like social security numbers and drivers' license numbers.
SSN: Given to you by the government.
DLN: Given to you by the state.
Phone#: Given to you by a monopoly.
Seems right in line who should be doing the management.
Re: (Score:2)
But there's no regulation that specifically protects *other* sensitive information, like social security numbers and drivers' license numbers.
This is fixing the problem from the wrong end.
What we should be doing is banning the use of these numbers for authentication. No financial or credit-issuing company should use the knowledge of these numbers as a verification of identity. Then it doesn't matter if they leak.
Great News! (Score:2)
Re: (Score:2)
I can sell you some fake parts [slashdot.org] to keep it going.
Re: (Score:2)
Laws need to target demand. (Score:2)
Instead of attacking and trying to catch the hackers who got the information, and sold it. You should target those who had bought and used such information.
Being large fines, jail time, or a fleet of Apache Helicopters going to their location.
The actual hacker may just be a lone wolf, some kid who just stumbled onto a security flaw, they may be difficult to track down. However if the data is bought for millions of dollars, chances are it is going to be targeted towards an organization, wealthy person, or
Re: (Score:2)
Re: Laws need to target demand. (Score:2)
Should not have consequences, but they do... (Score:5, Insightful)
But most of the lenders are so lax they lend to anyone based on name, address, date of birth and social security number. Again that too should be the problem of the lender, but they way US laws are structured, if someone claims to be me and borrows, it is up to me to prove it was not me. I should be able to say, "You lent the money, You did the verification. Prove that I did the borrowing. If you blindly report to credit reporting agencies that I have defaulted on loan mistakenly you are liable for all damage cause by such a report under libel and slander laws". . But I can't, and that is the root cause of the problem. I am not big enough to fight the banks.
Re: (Score:2)
Fake? (Score:2)
Probably Audi and VW did it themselves to act like there is something worth stealing from them. If it were SpaceX or Tesla stuff that would be more of value. Whatâ(TM)s there to find out from VW? How to make a Golf clone? Are you kidding me? Who would want to do that?
Re: (Score:2)
What's there to find out from VW?
Who knows?
I acquired a used Audi a few years back. It was either I take it (for free) or it had to be towed to the car crusher. Previous owner signed it over to me and I registered it at my PO box (as I do with all my vehicles). A few months later, Audi starts sending me maintenance reminders and ads for new models. To my home address. How'd they get that? I'm pretty certain I know how. Our state sells whatever personal data it has on its subjects to anyone who will pay cash. But now it's in the VAG databa
VW data and me (Score:2)
All I ever got from VW was a marketing questionnaire about why I chose to buy the car I did (VW Golf) back in 2016. One question was what other models I considered, and the answer was Toyota Prius and Tesla Model S. It felt slightly surreal then I wrote that down. All other communication (e.g. service reminders) has been from the dealer.
I wouldn't mind a bit more data from VW, like how to update the GPS navigation database. It's starting to show its age.
...laura