A memo to Volkswagen Group of America dealers obtained by Automotive News identified a vendor involved in a data breach impacting more than 3.3 million customers and prospective buyers, primarily at Audi.
In the email sent Thursday, Audi of America President Daniel Weissland identified the vendor as Shift Digital, which is “used by Audi, Volkswagen, and some authorized dealers in the United States and Canada.” Two dealers with knowledge of the situation verified the vendor’s identity with Automotive News.
Multiple messages seeking comment were sent Friday to Shift Digital, of Birmingham, Mich., but were not immediately returned. Spokespeople for the Audi and Volkswagen brands declined further comment beyond a statement the automaker released earlier in the day, which did not publicly name the vendor.
The information, gathered for sales and marketing between 2014 and 2019, was in an electronic file the vendor left unsecured, VW of America said in its statement. According to Reuters, the automaker told regulators the vast majority of customers had only phone numbers and email addresses potentially compromised. In some cases, data also included information about a vehicle purchased, leased or inquired about.
However, VW of America said, 90,000 Audi customers and prospective buyers had sensitive data impacted relating to purchase or lease eligibility. The automaker said it will offer free credit protection services to those individuals. This data comprised driver’s license numbers in more than 95 percent of cases. A small number of records included additional data such as dates of birth, Social Security numbers and account numbers.
In his email, Weissland said: “We believe the data was obtained when the vendor left electronic data unsecured at some point between August 2019 and May 2021, when we identified the source of the incident.” He also told dealers that the breached information “does not affect all dealers, but will affect most, if not all, dealers that use the Enterprise Lead Management (ELM) program offered through Shift Digital.”
The automaker said it does not believe sensitive information is involved in Canada, where 163,000 customers were impacted.
More than 3.1 million people affected are in the U.S. Reuters reported the story earlier Friday.
Lindsay VanHulle and Reuters contributed to this report.
