"As part of our technical security monitoring, we discovered that unauthorized individuals had exploited a vulnerability in the standard software used for our online store," Škoda said.
Škoda says vulnerability in e-commerce software allowed access
Škoda Auto, a wholly owned subsidiary of the Volkswagen Group, disclosed that attackers gained access to its online shop by exploiting an unspecified vulnerability in the e-commerce portal's software. The company reported that it detected the intrusion through its technical security monitoring, has resolved the vulnerability, and has handed the incident to a specialized IT forensics team for technical analysis. Škoda also said it reported the incident to the relevant data protection supervisory authority.
Customer information exposed — what the company confirmed
According to Škoda, the threat actors were able to access a combination of personal and transactional customer information. The data types the company listed include names, addresses, contact information (such as email addresses), phone numbers, order information, and login credentials — specifically the email address and a cryptographic hash of the password.
Škoda explicitly stated that full credit card details were not stored in the shop system and therefore were not accessible through the compromised systems. "Full credit card details are not stored in the shop system but are processed exclusively by the respective payment service providers," the company said, adding that "based on current information, direct access to full credit card details was not possible."
Škoda's warnings to customers and immediate guidance
While Škoda said it has no evidence that the accessed login data has been misused, the company warned customers to be extra vigilant for phishing and account-takeover attempts. "In the coming weeks, please be extra vigilant regarding emails, text messages, or phone calls that refer to your relationship with Škoda or to orders placed in the online store, especially if you are asked to enter login credentials, disclose confidential information, or click on links," Škoda advised.
The company also recommended that customers check their bank statements and credit card bills and immediately notify their bank or the relevant payment service provider if they notice anything unusual.
Company scale and related automaker incidents
The announcement comes from Škoda Auto, described in the company statement as a 130-year-old Czech car maker with more than 34,000 employees. Škoda reported sales of more than €27 billion and a profit of nearly €2 billion in 2025, and said it delivered over 1 million cars to customers.
Škoda's disclosure follows other recent cyber incidents in the auto sector reported in the source material: Renault and Dacia publicly disclosed a data breach affecting UK customers in October that exposed names, addresses, and vehicle identification and registration numbers; Jaguar Land Rover suffered a cyberattack one month earlier that the company said led to a 43% decline in third-quarter wholesale volumes and cost the automaker more than $220 million after severely disrupting production and retail operations.
What this means for affected customers, technologists, and regulators
- Affected customers: Those whose email addresses and hashed passwords were accessed should expect targeted phishing or account-takeover attempts and are advised by Škoda to monitor communications and financial statements and to notify banks or payment providers of suspicious activity.
- Technologists and security teams: The breach involved exploitation of a vulnerability in standard e-commerce software; Škoda fixed the flaw and engaged a specialized IT forensics team, underscoring the need to monitor vendor software and rapidly deploy patches when vulnerabilities are found.
- Regulators and data protection authorities: Škoda reported the incident to the relevant data protection supervisory authority, signaling regulatory notification processes are already in motion and that agencies will have a forensic report to review once the company's investigation proceeds.
A Škoda spokesperson was not immediately available for further comment when BleepingComputer reached out for details including the total number of affected customers and whether the company had been in contact with the attackers about paying a ransom. The company has said the exploited vulnerability has been resolved and that forensic analysis is underway.
The next concrete steps named by Škoda are under way: a technical analysis by the specialized IT forensics team and notifications to the relevant authorities. For now, Škoda's public record balances two facts — personal and login data were accessed, and full payment card details were not stored on the compromised systems — while the exact scope and any possible misuse of the accessed records remain to be determined by the ongoing investigation.
