On March 10, 2021, Audi (a subsidiary of the Volkswagen Group) were alerted that an unauthorized third party obtained certain customer information. Customers were not contacted until June 19, 2021, despite the potential for personally indefinable information having been exposed.
News of the incident comes via letter that was sent to customers of Audi Canada impacted by the unprecedented cybersecurity breach, dated on June 19 (eight days after Reuters posted that a breach had happened, and three months following the actual incident). The letter has not been released publicly, but a copy has been seen by Digital Journal. Additional information has been posted onto the Audi website.
The letter comes from Vito Paladino, President of Audi Canada Inc. While the letter does not detail how the cybersecurity breach occurred, it does indicate that the data breach was of a wide impact and this has led to personally identifiable information being exposed.
While Audi state they launches an investigation in March 2021, the outcome of this inquiry is lacking detail. The letter to customers states: “The investigation confirmed that the third party obtained limited personal information received from or about customers and interested buyers from a vendor used by Audi, Volkswagen, and some authorized dealers in the United States and Canada”
What do Audi consider to the “limited information”. The letter acknowledges this includes sales data. Audi acknowledges this includes, should you have been affected, your name, your address, your email, your telephone number. Also included may have been the make and model of the car, its color, the identification number of the car – even any customization like the trim.
How does this represent “limited information”? Such data presents a gateway to finding out a lot of details about a person. A spammers charter.
Another point of concern is the time period involved. The impacted period expands over five years, between 2014 and 2019.
Such a delay would not be possible on the part of a major corporation in Europe. Companies are legally obligated under GDPR to inform if they suffer a breach involving personal information of customers or employees.
Interestingly, from the customer services perspective, there is no precise or implicit apology in the letter. This is despite their being to the millions of affected customers both in Canada and the U.S.
Audi outlines steps to explain how it is going to ensure this type of issue does not reoccur. This comprises of engaging “external cybersecurity experts to assess and respond to this situation and have taken steps to address the matter with the vendor.” This does not exactly convey the installation of a new tamper-proof biometric system.
The letter provides a warning to customers about suspicious emails and advises customers not to provide personal data to any one making an inquiry. Important points, but this smacks of passing over the precautionary responsibility to those affected by the weaknesses that took place within the corporate regime.
The letter does not make any reference, however, to the rise in carjacking and the concerns around criminals accessing car security systems. This is something that becomes easier with an element of personal information, as well as criminals obtaining information about higher-end priced cars and where they are likely to be parked.
For consumers to feel more comfortable about passing on their personal details, companies such as Audi need to take security and customer care a little more seriously.