A UK man who woke up one morning to discover his bank account being charged for satnav services linked to a car he'd sold months previously has expressed his frustration at Mazda and TomTom over the strange affair.
Ben Rose owned a Mazda CX-5 until late last year. His vehicle included a dashboard-mounted in-car entertainment (ICE) suite powered by TomTom, which later proved to be the source of some strange goings-on that cost him money (since refunded) and made him fear that his personal data had been saved by the car and was now allowing someone else to bill him for the in-car satnav.
In December 2019 Rose sold his Mazda. He told The Register: “After arriving at the car dealer I joked with my children that I was using the ‘self destruct’ button on the car as I dug out the option to wipe all personal data. This is intended to clear out stored phone numbers, recent destinations, home address details. Essentially a factory reset before passing on to the next owner.”
Rose was following the advice in Mazda’s CX-5 owners’ handbook on how to sanitise his data from the car before selling it on. He showed us the relevant page:
The car, he told us, sat on the dealer’s online listings page for months as the COVID-19 pandemic destroyed market demand for cars. Eventually Rose forgot about it – until earlier this month he noticed his debit card had been billed by TomTom.
Rose was stunned: “I got another email from TomTom about the ‘World’ services I had purchased. I hadn't. These services are for a sat nav device I don't have that's permanently fitted in a car I no longer own.”
Connected car data handover headache: There's no quick fix... and it's NOT just Land RoversREAD MORE
He complained to both TomTom and Mazda, and, when he was unhappy with the non-committal replies he received, got in touch with The Register. Why, he asked us, would these companies be billing him for products he didn’t own and couldn’t use? Had his data persisted in the Mazda’s ICE suite?
Third party supplier - nothing to do with us...
We asked Mazda whether its car could have retained Rose’s data despite the reset. PR director Graeme Fudge told us in an emailed statement: “We do not hold any financial or identifiable data on our car systems. When a customer sells a car they delete their data from the car’s system, this includes previous routes, favourites, contacts, telephone numbers and call history, this ensures subsequent customers cannot access any data from the previous owner.”
Fudge continued: “Where the customer has an agreement with a third party supplier, no related financial or identifiable information is held in the car’s system. As the third party relationship is directly between the customer and the supplier, only the customer can change or cancel any services, such as cancellation of subscriptions or changes of customer information.”
When we asked Fudge if Mazda cared about the perception that one of its cars appeared to have retained onboard customer data despite a factory reset, Fudge replied: “The car holds no financial or identifiable data and if he deleted the data prior to selling the car all data stored on the car would have been deleted. The only data stored on the car system would have been previous routes, favourites, contacts, telephone numbers and call history.”
Rose had described to The Register how he used the in-car screen to set up his annual subscription to TomTom after he first bought the Mazda.
TomTom was a little more forthcoming, admitting to emailing a number of Mazda owners to tell them it had signed them up to services they may or may not have wanted, later correcting its blunder.
The satnav firm’s Zita Butler told The Register: “Last week, an email was mistakenly sent to a small number of customers registered with us as owners of a Mazda with our in-car entertainment suite installed. This included Mr Rose. The email informed recipients that their TomTom LIVE Services subscription was being renewed and would be billed for a month at GBP 9.99. As soon as we realized our mistake, we issued a refund for the charged amount, and are contacting those impacted customers to apologize. We understand Mr Rose’s frustration, and have reached out to him personally with our apologies.”
She added that when Rose sold his Mazda, he did not delete his online account with TomTom and remains registered in its customer database to this day.
Rose’s woes shed light on the amount of data collected by modern cars and the necessity of clearing all your online accounts associated with your car when you flog it on – a concept that would have been incomprehensible 15 years ago.
Car infosec expert Ken Tindell, CTO of Canis Automotive Labs, opined that it would take some time before car (and satnav) makers got their heads around the personal data problems – and “before that’s fully fed through to cars on the road”.
“Infotainment falls between two worlds: the culture of car makers is slow and conservative (not least because two tons of speeding metal can be lethal), but the culture of the tech industry is move fast and break things (worship of the MVP god),” Tindell told El Reg. “This inevitably leads to poor implementations as car makers grapple with unfamiliar issues. Cars take years to develop and then remain in production for years after, and there will be new cars rolling off production lines today that were conceived before the year 1BIP (Before iPhone).”
“Time to belt-up and prepare for more of these stories,” he concluded. ®