TomTom bill bomb: Why am I being charged for infotainment? I sold my car last year, rages Reg reader

Mazda shrugs off ex-owner's bizarre involuntary data retention story

A UK man who woke up one morning to discover his bank account being charged for satnav services linked to a car he'd sold months previously has expressed his frustration at Mazda and TomTom over the strange affair.

Ben Rose owned a Mazda CX-5 until late last year. His vehicle included a dashboard-mounted in-car entertainment (ICE) suite powered by TomTom, which later proved to be the source of some strange goings-on that cost him money (since refunded) and made him fear that his personal data had been saved by the car and was now allowing someone else to bill him for the in-car satnav.

In December 2019 Rose sold his Mazda. He told The Register: “After arriving at the car dealer I joked with my children that I was using the ‘self destruct’ button on the car as I dug out the option to wipe all personal data. This is intended to clear out stored phone numbers, recent destinations, home address details. Essentially a factory reset before passing on to the next owner.”

Rose was following the advice in Mazda’s CX-5 owners’ handbook on how to sanitise his data from the car before selling it on. He showed us the relevant page:

mazda satnav

Click to enlarge

The car, he told us, sat on the dealer’s online listings page for months as the COVID-19 pandemic destroyed market demand for cars. Eventually Rose forgot about it – until earlier this month he noticed his debit card had been billed by TomTom.

Rose was stunned: “I got another email from TomTom about the ‘World’ services I had purchased. I hadn't. These services are for a sat nav device I don't have that's permanently fitted in a car I no longer own.”

Man holds the BMW f30 key fob with an apple watch showing the connected drive information.

Connected car data handover headache: There's no quick fix... and it's NOT just Land Rovers


He complained to both TomTom and Mazda, and, when he was unhappy with the non-committal replies he received, got in touch with The Register. Why, he asked us, would these companies be billing him for products he didn’t own and couldn’t use? Had his data persisted in the Mazda’s ICE suite?

Third party supplier - nothing to do with us...

We asked Mazda whether its car could have retained Rose’s data despite the reset. PR director Graeme Fudge told us in an emailed statement: “We do not hold any financial or identifiable data on our car systems. When a customer sells a car they delete their data from the car’s system, this includes previous routes, favourites, contacts, telephone numbers and call history, this ensures subsequent customers cannot access any data from the previous owner.”

Fudge continued: “Where the customer has an agreement with a third party supplier, no related financial or identifiable information is held in the car’s system. As the third party relationship is directly between the customer and the supplier, only the customer can change or cancel any services, such as cancellation of subscriptions or changes of customer information.”

When we asked Fudge if Mazda cared about the perception that one of its cars appeared to have retained onboard customer data despite a factory reset, Fudge replied: “The car holds no financial or identifiable data and if he deleted the data prior to selling the car all data stored on the car would have been deleted. The only data stored on the car system would have been previous routes, favourites, contacts, telephone numbers and call history.”

Rose had described to The Register how he used the in-car screen to set up his annual subscription to TomTom after he first bought the Mazda.

TomTom was a little more forthcoming, admitting to emailing a number of Mazda owners to tell them it had signed them up to services they may or may not have wanted, later correcting its blunder.

The satnav firm’s Zita Butler told The Register: “Last week, an email was mistakenly sent to a small number of customers registered with us as owners of a Mazda with our in-car entertainment suite installed. This included Mr Rose. The email informed recipients that their TomTom LIVE Services subscription was being renewed and would be billed for a month at GBP 9.99. As soon as we realized our mistake, we issued a refund for the charged amount, and are contacting those impacted customers to apologize. We understand Mr Rose’s frustration, and have reached out to him personally with our apologies.”

She added that when Rose sold his Mazda, he did not delete his online account with TomTom and remains registered in its customer database to this day.

Rose’s woes shed light on the amount of data collected by modern cars and the necessity of clearing all your online accounts associated with your car when you flog it on – a concept that would have been incomprehensible 15 years ago.

Car infosec expert Ken Tindell, CTO of Canis Automotive Labs, opined that it would take some time before car (and satnav) makers got their heads around the personal data problems – and “before that’s fully fed through to cars on the road”.

“Infotainment falls between two worlds: the culture of car makers is slow and conservative (not least because two tons of speeding metal can be lethal), but the culture of the tech industry is move fast and break things (worship of the MVP god),” Tindell told El Reg. “This inevitably leads to poor implementations as car makers grapple with unfamiliar issues. Cars take years to develop and then remain in production for years after, and there will be new cars rolling off production lines today that were conceived before the year 1BIP (Before iPhone).”

“Time to belt-up and prepare for more of these stories,” he concluded. ®

Other stories you might like

  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading
  • Utility biz Delta-Montrose Electric Association loses billing capability and two decades of records after cyber attack

    All together now - R, A, N, S, O...

    A US utility company based in Colorado was hit by a ransomware attack in November that wiped out two decades' worth of records and knocked out billing systems that won't be restored until next week at the earliest.

    The attack was detailed by the Delta-Montrose Electric Association (DMEA) in a post on its website explaining that current customers won't be penalised for being unable to pay their bills because of the incident.

    "We are a victim of a malicious cyber security attack. In the middle of an investigation, that is as far as I’m willing to go," DMEA chief exec Alyssa Clemsen Roberts told a public board meeting, as reported by a local paper.

    Continue reading

Biting the hand that feeds IT © 1998–2021