Volkswagen Group investigates claims of data breach by Stormous ransomware gang

The Stormous ransomware group listed the Volkswagen Group on its dark web leak site on June 1, asserting that it had stolen sensitive corporate and customer data from the global automotive leader. The group alleged that the exfiltrated data included user account details, authentication tokens, session cookies, contact information, and vehicle identification numbers (VINs). However, it did not disclose the amount of data purportedly obtained, nor did it provide any data samples to support the claims.

Stormous stated that the leaked information would be published in the coming days. The absence of a sample or data size has prompted skepticism regarding the legitimacy of the breach. Nevertheless, the ransomware gang is known for its high-profile activities and may be strategically withholding data to pressure Volkswagen into ransom negotiations.

Volkswagen Group, the world’s largest automaker by revenue and a dominant force in Europe, has not publicly confirmed any security breach. A company spokesperson told Cybernews that internal investigations have thus far found no evidence of unauthorized access to customer or company data. “According to the current state of knowledge of the internal investigations, there was no unauthorized access by external third parties to personal data of customers or sensitive company data. Consequently, no misuse of such data has been identified,” the spokesperson said.

The company emphasized its commitment to data security, noting that any credible indications of data misuse would prompt cooperation with relevant law enforcement authorities. Volkswagen has stated that it continues to review the situation and will take necessary measures if new information emerges.

Stormous, a ransomware group active since 2022, has previously claimed responsibility for cyberattacks on a range of organizations, including the Belgian brewer Duvel Moortgat and various institutions in France. Despite the lack of verifiable data in the current case, the group’s history and tactics suggest it could be leveraging the threat of exposure as a means to extort payment.

This is the second potential data security incident involving the Volkswagen Group in 2025. Earlier this year, a misconfiguration by its software subsidiary, CARIAD, left a cloud database publicly accessible for several months. Ethical hackers from Germany’s Chaos Computer Club discovered that the database exposed terabytes of data related to electric vehicles, including precise geolocation details.

The exposed data affected approximately 800,000 vehicles, with nearly 460,000 containing detailed location information. The majority of impacted vehicles were located in Germany, followed by several other European countries including Norway, Sweden, Belgium, the UK, the Netherlands, France, and Denmark. CARIAD stated that it had promptly fixed the misconfiguration and that, based on its investigation, the data had not been accessed or misused beyond the ethical hacking group.