Skoda warns of customer data breach following shop software hack

Czech carmaker Skoda’s Germany division said a cyber attack targeting its online shop software compromised customers’ personal information and forced it to take its online shop offline.

 

Skoda Germany said this week that it recently discovered that malicious actors had gained access to its standard shop software which stored customers’ hashed login credentials as well as personal information that customers shared when making purchases on the online shop.

 

The carmaker said in a press release that the standard shop software featured a vulnerability which malicious actors exploited to gain access to the system. Skoda Germany discovered the unauthorised access during technical security monitoring and immediately took steps to sever the malicious access and took the Skoda online shop offline as a precautionary measure.

 

"The vulnerability has since been fixed, and the incident has been referred to a specialized IT forensics team for technical analysis. The incident has also been reported to the relevant data protection supervisory authority," Skoda Germany said.

 

A wholly owned subsidiary of the German Volkswagen Group, Skoda Auto is one of the world’s largest automobile manufacturers, selling automobiles in more than a 100 countries worldwide. The company employs over 37,500 people, manufactured over 800,000 cars in 2024 and earns a revenue of over €25 billion annually.

 

The carmaker said the compromised standard shop software stored customers’ names, addresses, phone numbers, email addresses, order information and login credentials. The compromised software, however, did not store customers’ payment information such as complete card numbers as payments are processed through external payment service providers. 

 

Skoda Germany did not state for how long the hackers enjoyed access to the system or how much data had been exfiltrated.

 

"Technical analysis has revealed that access to data stored in the shop was theoretically possible. However, due to the nature of the existing protocols, it is not possible to retrospectively determine in detail whether and to what extent data was actually copied or accessed," the company said.

 

"Currently, we have no concrete evidence of misuse of customer data. Since data access cannot be ruled out with absolute certainty, we are informing you as a precautionary measure to enable you to take your own protective measures."

 

Skoda Germany said that after it identified the vulnerability, it quickly fixed the software and conducted a detained forensic analysis with help from an external IT forensics firm. The carmaker also notified data protection agencies about the incident and reviewed and strengthened existing cyber security mechanisms.

 

"Should data have been compromised in connection with the security incident and leaked from the shop system, this could lead to affected individuals receiving an increased number of unsolicited contacts, for example, in the form of emails referring to previous orders or known data," the company warned.

 

"In the coming weeks, please pay close attention to emails, text messages, or calls that refer to your relationship with Škoda or to orders placed in the online shop, especially if you are asked to enter login details, disclose confidential information, or click on links," it added.