Why the recent data Breach of Volkswagen proves the need for the new NIS2 regulatory framework.

End of 2024 was not the time for folks at Volkswagen to sit back and relax. For one because Europe's largest automotive player is struggling to make headway in developing an EV strategy whilst remaining profitable. Its Q3 sales numbers published end of October showed a drop in Sales, Revenue and Profits and more worryingly, its net liquidity stood at negative 160 billion.

But that was surely not the main discussion points at top management level at Volkswagen AG. They were probably more concerned about another dark cloud which built up in the past days: a large security breach of their customer data at their software daughter company Cariad. As most of you know, cars in recent years have become increasingly connected. And with the rise of Battery Electric Vehicles, many cars are constantly sending data in order t provide functionality and ease of use to the driver. Think for instance about availability of charging facilities, preparing the battery for fast charging, preheating your car through an app etc. In itself all logical uses. Although in the past many reports surfaced about cars storing and sharing way more information than strictly necessary for functionality. A 2023 study by the Mozilla Foundation revealed that modern cars are a "privacy nightmare," with 25 car brands collecting more data than necessary and 76% of them admitting to the potential resale of this data.

So what happened? As far as we know now, for an extensive period, (apparently after a mistake made by a software developer last summer), all the data gathered on vehicles from the Volkswagen Group, such as Volkswagen, Seat, Audi and Skoda by Cariad was stored in an unsecured, open to the public, AWS database. These data included all precise GPS locations of the car anytime the engine was switched off. German magazine Der Spiegel took the example of a German politician Nadja Weippert, who ironically enough is not only the owner of a Volkswagen ID.3 but also for the Green party in her Landestag the spokesperson regarding Dataprivacy. The data revealed her home address, but also her favourite bakery and sport clubs she attended, including exact times. And of course, not just for Nadia, but for owners of roughly 800.000 EV vehicles in many European countries.

NIS2 and how this would affect Volkswagen

For those working in Cybersecurity, the NIS directive, which stands for Network and Information Security, is no news. Its first implementation stems from 2016 and aimed to improve cyber security in the European Economic Space to which crucial entities had to comply. It's implementation was considered less than a success predominantly because there was a lack of common understanding about the threats and challenges. Another issue which surfaced was the lack of enforcement, which led some organizations to give the directive less attention than it needed. To meet these challenges, the EU went to work on a newer implementation of the NIS directive. This directive was dubbed NIS2 and contained important differences to its predecessor. It significantly broadened the group of organizations which were to abide by it both in the sense of their activities, but also size, putting the threshold at 50 employees or more or 10 million turnover or more. These tresholds basically mean most larger organizations in the specified sectors are bound to comply with NIS2. There are also more stringent ways to enforce it. The latter tried to address the lack of implementation by imposing hefty fines and even made board members liable in case of (repeated) non compliancy. The NIS2 directive was published in December 2022 and which national government had to implement in their own legislation by October 18th 2024. Few countries managed to do this, Belgium being one of the few who succeeded in meeting this deadline.

NIS1 did not apply to Volkswagen, but under NIS2 there is no doubt they need to comply. After all, Manufacturing Organizations are now in scope and Volkswagen AG is listed under this category. The question is if the simple mistake of an employee to leave the database publicly accessible is the only cause of this breach though. NIS2 after all also specifically mentions encryption as one of the safety guards, and clearly the database in question was either not encrypted or the safeguarding round this was insufficient. We reached out to Volkswagen and Cariad to confirm this and they gave the following statement: " Die Daten waren verschlüsselt, aber die Schlüssel wurden erlangt" (The data were encrypted, but the encryption keys were obtained). This statement opens a box of Pandora with regards to security best practices. Haphazardly protecting security keys negates the entire process of encryption. It provides a false sense of security. Apparently, the security keys were not stored in a hardware security module or hardened virtual appliance and cryptographic resource management was not, or insufficiently implemented.

Cariad issued a long statement on the data breach and stresses that the data was not directly to be related to individual customers. For CCC Germany, who obtained the data, it was however apparently not too hard to (after explicit agreement with individuals) recombine elements to get a detailed picture that one does not want to fall in the wrong hands. And this is the exact reason the NIS2 directive was issued.

This article was published in Dutch at Datanews NL and at ITchannel in French in LeVif  and in English on Medium .