Decommissioned cars retain owners’ personal data for years — and it can be easily recovered

Research by cybersecurity expert Romain Marchand from Quarkslab shows that even scrapped vehicles can store sensitive user data for years, and accessing it does not require sophisticated hacking techniques.

Data persists even after disposal

As part of the experiment, the researcher purchased a telematics control unit (TCU) previously used in a BYD Seal via an online marketplace linked to vehicle dismantling.

After examining the hardware, it was revealed that the module was based on solutions from Qualcomm and used memory manufactured by Micron Technology. Extracting data from the NAND storage allowed access to a Linux-based file system containing system configurations and operational logs.

Notably, the data was not encrypted, making it relatively easy to retrieve.

Full movement history exposed

The internal logs contained detailed records of the vehicle’s movements. In effect, it was possible to reconstruct the entire lifecycle of the car — from production in China to use in the UK and eventual disposal in Poland.

A cluster of GPS coordinates in one location drew particular attention. Further analysis made it possible to identify the exact site and match it with a Facebook post about a traffic accident. The data corresponded precisely to an incident involving the same vehicle.

This demonstrates that the telematics unit effectively functions as a long-term archive of user activity.

Issue goes beyond a single manufacturer

According to Romain Marchand, similar data storage architectures are used not only by BYD but also by other automakers. This suggests a systemic vulnerability across the connected car industry.

Even performing a factory reset does not guarantee complete data removal. Modern vehicles contain numerous electronic control units (ECUs), many of which lack user-accessible interfaces for data wiping.

Risks for users and businesses

This situation creates serious risks of personal data exposure, including travel history, behavioral patterns, and other sensitive information. It is particularly relevant for car rental, leasing, and fleet management companies.

Experts recommend maintaining strict digital hygiene: avoid connecting personal devices to shared vehicles and perform factory resets whenever possible. However, even these measures do not fully eliminate the risk.

Regulatory limits and technical challenges

Modern vehicles both store data locally and transmit it to manufacturers for analytics and service improvements. At the same time, users often have little visibility into what data is retained and where it is stored.

Although the General Data Protection Regulation requires anonymization of personal data within the EU, its implementation in the automotive sector remains complex. Some data must remain linked to the vehicle to support navigation, driver assistance systems, and over-the-air updates.

As a result, even after a vehicle’s lifecycle ends, traces of user data may persist and potentially become accessible to third parties.