An unnamed digital vendor that Volkswagen's subsidiary, Audi, and some of its U.S. and Canadian dealers used for sales and marketing purposes "left electronic data unsecured at some point between August 2019 and May 2021," the German automaker said in the letter obtained by tech news website TechCrunch.
"We take the safeguarding of your information very seriously," Audi of America President David Weissland wrote. "We have informed the appropriate authorities, including law enforcement and regulators. We are working with external cybersecurity experts to assess and respond to this situation and have taken steps to address the matter with the vendor."
Mark Gilles, Volkswagen's senior manager or product and technology communications, told Fox Business in a statement that the company is "notifying all affected individuals directly, regardless of whether [they] are required to do so by law, and will offer free credit protection services to approximately 90,000 individuals for whom sensitive information was involved."
The majority of those affected were Audi customers, according to Gilles.
The third party may have accessed the "sensitive information relating to the eligibility of a purchase, loan or lease" of about 90,000 U.S. and Canadian Volkswagen or Audi clients, Gilles said in the statement.
Additionally, the third-party actor may have accessed the first and last names, personal or business addresses, email addresses and phone numbers of the 3.3 million total customers impacted.
A "very small" number of birth dates, Social Security numbers, account or loan numbers and tax ID numbers may have also been exposed, Gilles said.
The carmaker is urging clients to "remain alert for suspicious emails or other communications that might ask them to provide information about themselves or their vehicle."