Škoda Auto Deutschland online-shop breach exposes customer PII and password hashes; logging gap prevents exfiltration confirmation

Škoda Auto Deutschland GmbH disclosed on 2026-05-11 that an unauthorised actor exploited a vulnerability in the standard shop-software platform underlying its German online-retail store, accessing customer names, postal addresses, email addresses, telephone numbers, order history, account data and password hashes (Škoda Auto Deutschland — Sicherheitsvorfall Škoda Shop; SecurityWeek, 2026-05-11). Credit-card data was not exposed — payment processing is delegated to external PSPs and never stored in the shop database. Škoda's own monitoring detected the intrusion; the shop was taken offline, the underlying vulnerability patched, and external forensics retained. The disclosure flags one notable operational shortfall in the company's own framing: insufficient logging coverage prevents investigators from determining definitively whether the accessed data was actually exfiltrated, so customers must be treated as if it was. Škoda Auto a.s. is a VW Group subsidiary headquartered in Mladá Boleslav (Czech Republic); the German operating company's notification reached the competent EU supervisory authority within the GDPR Article 33 72-hour window. No threat actor has been attributed.