What if your connected car’s data is hacked, sold, and exploited by piracy?

Sponsor ad - 728w x 90h (at 72 dpi)

Data theft has been a critical concern in the media and entertainment industry for years, as our readers well know.  Personal data scraped from consumer accounts or purchased through online marketplaces become weaponized through phishing and ransomware attacks.  Sale of account data is a thriving business, and the more specific the data, the more it’s worth.  Of course, the problem isn’t limited to our industry; every industry is vulnerable.

Virtually all modern automobiles are equipped with hundreds of sensors that record your every action, and telemetry that can communicate it all back to the manufacturer.  It’s positioned by manufacturers variously as a safety feature, a way to get quick service after an accident or a breakdown, and (ostensibly) as a way to improve your auto insurance rate.  But as The New York Times reported in March, this isn’t always the result.  One Cadillac sued GM because he had not (intentionally or consciously) given GM approval to share data that included his driving habits, which resulted in the doubling of his auto insurance rate.

Sponsor ad

But there’s another side: because these telemetry systems enable remote access by the end user, the dealer, and by the manufacturer, consumer data can be exploited, sold or stolen just as they are for media accounts.  On a recent service visit for our 2020 family car for what we thought was a battery failure, I asked the service manager to turn off data collection. The dealer refers these requests to the manufacturer and claims that the dealership retains no data except the service history.  To give you a sense of the extent of computerization, the so-called battery failure was not a failure at all.  If you’re running the accessories, all of the car’s electronics are active, which draws power.  Even the sensor that measures your weight in the driver’s seat.

In addition to the privacy concerns, auto manufacturers are opaque at best about whether or how they protect consumer data through encryption; or about any cybersecurity best-practices they might employ.  In a September 2023 study published by The Mozilla Foundation, 17 auto manufacturers (68% of them) had been victimized by “leaks, hacks and breaches that threatened their drivers’ privacy.”  Another source calls modern automobiles “smartphones on wheels.”

Connected Vehicle. Image source: World Economic Forum


General Motors’ OnStar platform suffered major hacks in 2015 and again in May 2022.  In the later attack, “unauthorized parties could have gained access to limited personal information of your GM online or mobile application accounts, such as first and last name, personal email address, personal address, username and phone number for registered family members tied to your account, last known and saved favorite location information, your currently subscribed OnStar package (if applicable), family members’ avatars and photos (if uploaded), profile picture, search and destination information, reward card activity, and fraudulently redeemed reward points,” according to a letter to OnStar customers that was filed with the California Attorney General by General Motors; which is required by California law.

While Tesla emphatically does not sell customer data, it has had other data privacy issues.  In 2023, a whistle-blower turned over a cache of Tesla company data to Handelsblatt, a German publication, which published a report about it.  The data included “salaries of 100,000 employees, bank details of customers, secret details from production, even the alleged vehicle and social security number of Tesla boss Elon Musk,” as well as reports of errors produced by Tesla’ Full Self Driving (FSD) feature. What if this was your Tesla?  Because the leak also constitutes a violation of the EU’s General Data Protection Regulation, the company may also be subject to a fine of up to 4% of a company’s annual revenue, which in Tesla’s case would amount to more than €3 billion; which would exceed previous GDPR fines against Facebook and Amazon.

Worse yet, although auto manufacturers’ privacy policies are often quite explicit, it’s up to the consumer to read policies that extend for tens or hundreds of pages. Kia’s privacy policy discloses, for example, that it collects”sensitive personal information” tha includes “Social Security number, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs; union membership; genetic data; unique biometric information; contents of certain mail, emails, and text messages; or health, sex life or sexual orientation information.”

Further reading

Automakers are sharing consumers’ driving behavior with insurance companies. Article. By Kashmir Hill. March 11, 2024. The New York Times

It’s Official: Cars are the worst product category we have ever reviewed for privacy.  Analysis and report. By Jen Caltrider, Misha Rykov, Zoe MacDonald. September 6, 2023. Mozilla Foundation

Your car might be sharing data with insurers – and costing you money.  Article. March 13, 2024. by Justin Banner. Motor Trend magazine

Why we publish the Tesla files.  Article. May 25, 2023. by Sebastian Matthes, Editor in Chief. Handelsblatt GmbH

Notice of Data Breach. Letter to GM customers. May 16, 2022.  Via Office of the Attorney General. State of California

Access your LexisNexis Consumer Disclosure Report.  Web portal. Accessed March 18, 2024. LexisNexis Risk Solutions

Why it matters

Cases like these should add momentum to strong data protection laws that echo the European General Data Protection Regulation, as have also been enacted by several US states.  But commercial interests have thus-far proven to be too powerful, despite rising bi-partisan interest in regulating data privacy in the US.

Manufacturers hope to minimize the loudness of the alarm bells that should sound for every consumer, by saying (such as in the GM 2022 case) that “The GM accounts did not include date of birth, Social Security number, driver’s license number, credit card information, or bank account information, as that information is not stored in your GM account.”  In other words, if that information was stored there, it would also have been stolen.

Print Friendly, PDF & Email
From our Sponsors