Škoda Confirms Online Shop Hack Exposes Customer Data, Says Credit Card Info Safe

Škoda Auto, a Volkswagen Group subsidiary, reported the breach after detecting unauthorized activity in its online store. The automaker delivers over one million vehicles annually and posted €27 billion in sales in 2025. The incident follows similar disclosures by Renault/Dacia and Jaguar Land Rover earlier in the year.

Attackers exploited an unspecified vulnerability in the standard e‑commerce platform, achieving temporary unauthorized access (MITRE ATT&CK T1190 – Exploit Public‑Facing Application). Exposed data included names, postal and email addresses, phone numbers, order information, and login credentials consisting of email addresses and cryptographic password hashes. Škoda stated that full credit‑card numbers are processed exclusively by third‑party payment providers and were not stored on the compromised system, so attackers could not obtain them.

The breach highlights the risk of relying on third‑party shop software without timely patching. While payment data appears safe, exposed personal information and credential hashes enable credential‑stuffing and targeted phishing. Organizations should treat any web‑app flaw as a potential gateway to broader data theft, even when financial details are segregated.

- Apply the latest security patches for the affected e‑commerce platform immediately; monitor vendor advisories for CVE identifiers related to the flaw. - Deploy web‑application firewalls with rules targeting known exploitation patterns (e.g., OWASP Top 10 A01:2021 – Broken Access Control). - Reset all customer passwords and enforce multi‑factor authentication for shop accounts. - Monitor authentication logs for abnormal login attempts (MITRE ATT&CK T1078 – Valid Accounts) and enable alerts for password‑spraying or credential‑stuffing. - Educate customers about phishing indicators and encourage them to review account activity and payment statements.