Škoda Auto discloses data breach after online shop hack exposes customer data
Škoda Auto has disclosed a data breach after attackers exploited a vulnerability in its German online shop, exposing customer names, addresses, and password hashes.
Škoda Auto, a wholly owned subsidiary of the Volkswagen Group, has disclosed a data breach after attackers hacked its German online shop (shop.skoda-auto.de) and stole the personal information of an undisclosed number of customers. The 130-year-old Czech car maker has over 34,000 employees and reported sales of more than €27 billion in 2025.
As Škoda revealed, threat actors gained access by exploiting an unspecified vulnerability in the software of its e-commerce portal. After detecting the breach, the company reported the incident to the relevant authorities and has fixed the security flaw exploited in the attack. "As part of our technical security monitoring, we discovered that unauthorized individuals had exploited a vulnerability in the standard software used for our online store. This allowed them to temporarily gain unauthorized access to the store system," Škoda said.
The customer information accessed by the threat actors includes a combination of names, addresses, contact information (such as email addresses), phone numbers, order information, and login credentials (including the email address and a cryptographic hash of the password). However, according to Škoda, the attackers were unable to access affected customers' financial information because it was not stored on the compromised systems. "Full credit card details are not stored in the shop system but are processed exclusively by the respective payment service providers. Based on current information, direct access to full credit card details was not possible," the company added.
While Škoda said it has no evidence that the access data has been misused, the company warned affected individuals that phishing attacks might target them and that threat actors may try to log in to their other online accounts if they reused the same credentials. The breach only impacts the shop.skoda-auto.de online store, and a Škoda spokesperson said the incident only impacted "the online shop operated by the Škoda Auto importer in Germany and does not concern Škoda Auto globally." The Škoda Connect Portal and all associated services are not affected.
Škoda's announcement comes after carmakers Renault and Dacia also disclosed a data breach affecting UK customers in October, exposing a wide range of personal and vehicle information. One month earlier, Jaguar Land Rover (JLR) was also hit by a cyberattack that led to a 43% decline in third-quarter wholesale volumes and cost the company over $220 million after severely disrupting production and retail operations.
The incident highlights the ongoing risk to automotive companies from cyberattacks targeting customer-facing web portals. Škoda has not disclosed the total number of affected customers or whether the attackers demanded a ransom. The company has engaged a specialized IT forensics team for technical analysis and reported the incident to the relevant data protection supervisory authority.