Almost all those impacted were current or potential customers of Audi, the luxury brand of Volkswagen.
According to the automaker, an unauthorized third party obtained limited personal details about customers and interested buyers from a vendor that its Audi Volkswagen brands and some U.S. and Canadian dealers have used for digital sales and marketing.
The data was collected for sales and marketing between 2014 and 2019 and was in an electronic file the vendor left without security.
The company informed regulators the vast majority of customers had nothing more phone numbers and email addresses potentially impacted by the data breach. In some cases, data also consisted of details about a vehicle purchased, leased, or inquired about.
Volkswagen said 90,000 Audi customers and potential customers had sensitive data affected relating to purchase or lease eligibility.
The automaker said it will offer free credit protection services to those individuals.
The sensitive data was comprised of driver license numbers in over 95% of cases. A small number of records included extra data like dates of birth, Social Security numbers, and account numbers.
The automaker does not believe sensitive data is involved in Canada.
Of over 3.1 million people affected are in the United States.
The automaker believes the data was gathered at some point between August 2019 and May 2021, when the automaker identified the source of the incident.