The Volkswagen Group has issued a statement in response to claims by the ransomware group 8Base, who say they stole and leaked sensitive information from the automaker.
The German company stresses that its core IT infrastructure remains unaffected, but the brief statement leaves several questions unanswered — including whether the incident may be linked to a breach at a supplier or partner.
8Base – from encryption to data extortion
8Base is a cybercriminal group that emerged in early 2023 and quickly became known for its double-extortion tactics, where stolen data is used as leverage in addition to—or instead of—encrypting files. The group uses variants of Phobos ransomware and is particularly noted for prioritizing data theft and public exposure over traditional file encryption.
In September 2024, 8Base claimed to have compromised Volkswagen’s network and downloaded a large volume of internal documents. The attackers threatened to publish the materials on 26 September, three days after the alleged exfiltration.
Although the deadline passed without any specific materials being released, Volkswagen was listed on the group’s dark web site with categories that reportedly included:
- Invoices and receipts
- Accounting records
- Personnel and employment contracts
- Payroll documents and certificates
- Non-disclosure agreements and internal reports
Security analysts who monitor dark web activity say this is typical of 8Base campaigns, where the threat of publication is regularly used to pressure victims into paying ransoms.
Potential global impact
If the claims are true, the stolen material could contain sensitive information from across Volkswagen’s global operations, including brands such as Audi, Porsche, Bentley, Lamborghini, Škoda, SEAT and Cupra. With 153 production sites and hundreds of thousands of employees worldwide, a confirmed data breach would have far-reaching consequences — both legally and financially.
Under the EU’s GDPR framework, confirmed violations that expose sensitive personal data can result in fines up to 4% of global turnover. Volkswagen has not confirmed any actual data leak to date, and no customer data has been reported compromised so far.
Volkswagen’s response and ongoing investigation
In a short statement to German media, a Volkswagen spokesperson said the company is aware of the “incident” and that internal security reviews are underway. The company emphasized that its primary IT systems have not been affected, suggesting the attack may have occurred through a third-party supplier or partner organization.
Given Volkswagen’s complex ecosystem of thousands of suppliers and subcontractors across Europe and Asia, a third-party breach is a plausible scenario, though the company has not confirmed this.
Cybersecurity experts point out that supply-chain vulnerabilities are often the weakest link for large corporations. Ransomware groups commonly gain access via phishing campaigns or by using purchased credentials from so-called “initial access brokers.” According to multiple research reports, 8Base has targeted over 400 organizations worldwide since its inception.
8Base — an industry threat
Unlike some more technically advanced ransomware operations such as LockBit or BlackCat, 8Base functions primarily as a pure data-extortion group. They leverage existing infrastructure and tools, which can make them difficult to trace while enabling rapid action.
The group has also used a variety of social engineering techniques, including fake emails and compromised cloud accounts, to gather initial footholds before carrying out intrusions.
Security professionals note that the automotive industry has increasingly become a target for cybercriminals because it handles large volumes of personal and production data and depends heavily on digital systems across manufacturing and supply chains. An attack against a global manufacturer can therefore produce significant downstream effects for suppliers and partner companies.
Lessons for companies and authorities
Multiple cybersecurity firms are now urging stronger third-party risk management, especially within critical industrial sectors like automotive and manufacturing. Recommended measures include:
- Conducting continuous security assessments of suppliers
- Monitoring access to cloud and remote services
- Enforcing stricter MFA requirements (multi-factor authentication)
- Ensuring incident response plans are updated and regularly tested
The Volkswagen incident highlights how ransomware groups such as 8Base continue to target large industrial groups, where the economic and legal pressure on victims can be substantial. Organizations should treat supply-chain security as a priority and adopt proactive measures to reduce exposure to similar threats.