Volkswagen Group of America and Audi of America disclosed in June 2021 that approximately 3.3 million customers and prospective buyers had their personal data exposed due to an unsecured dataset left accessible on the internet by Shift Digital, a digital marketing vendor that VW and Audi used to conduct sales and marketing campaigns.

The data was compiled from customer interactions with VW and Audi dealers and websites between 2014 and 2019, and was left unsecured by Shift Digital at some point between August 2019 and May 2021 — a window of approximately 21 months. The dataset was discovered and reported to Volkswagen by an unnamed security researcher.

The exposed data varied by individual. The majority of affected records (over 3.3 million) included contact information: first and last name, personal or business mailing address, email address, and phone number, along with vehicle details such as VIN, make, model, year, color, and trim package for vehicles purchased, leased, or inquired about. A more sensitive subset of approximately 90,000 Audi customers had highly sensitive financial and identification data exposed, including driver’s license numbers, dates of birth, Social Security numbers or social insurance numbers (for Canadian customers), and account or loan numbers.

No Mercedes-Benz, Porsche, or other VW Group brand customers outside of VW and Audi of America were reported as affected. The breach class action was settled for $3.5 million. The incident illustrated how automotive OEMs that share customer data with digital marketing and lead-generation vendors create significant downstream exposure when those vendors fail to apply adequate cloud storage access controls. Shift Digital did not publicly comment on the specifics of the misconfiguration.