How to address the increasing threat of cyberattacks on EV charging stations

As electric vehicle adoption accelerates globally, a new frontier has emerged for cybercriminal activity: EV charging infrastructure. Charging stations are increasingly being targeted by various forms of cyberattacks, posing significant risks to both operators and users.

According to Upstream's Automotive & Smart Mobility Global Cybersecurity Report 2025, the year 2024 saw a sharp increase in cyber incidents, with electric vehicles being particularly vulnerable during active charging sessions.

Main security threats during charging

“Quishing” – QR code fraud

One of the most common and effective attack methods involves the placement of fraudulent QR codes on public charging stations. When scanned, these fake codes redirect users to counterfeit payment portals, leading to the theft of payment credentials. This method, known as “quishing” - a blend of “QR” and “phishing” - isn’t new, having already been used on devices like parking meters. However, it remains highly effective. EV drivers often realise something is wrong only when they notice their vehicle isn’t charging.

Cyberattacks targeting charging network operators

Cybercriminal groups are not limiting their attacks to individual stations; charging network operators themselves are also under threat. In an incident in November 2024, a hacker allegedly leaked 116,000 records containing sensitive information obtained from multiple charging providers through vulnerabilities in charging station systems. While some leaked data, such as charger locations or charging events, may not be inherently sensitive, personal information like email addresses and banking details can be easily exploited.

Malicious reprogramming of chargers

Charging stations are susceptible not only to physical vandalism but also to software manipulation. Hackers can reprogram chargers to collect and misuse sensitive user data. Infected chargers may serve as entry points for broader attacks on the entire network, or generating false demand to overload systems. This is why connecting charge points to any system should be done with proper mitigation methods in place.

How do we approach cybersecurity at Virta?

At Virta, our customer’s security is a top priority. That’s why we’ve established a dedicated information security management system (ISMS), overseen by a dedicated team. Our security framework is built on a continuous process that includes active risk management. Each identified risk is assigned an owner and addressed with appropriate measures.

Recognised international certifications

To ensure the highest standard of security, Virta has obtained several globally recognised certifications. We are ISO 27001 certified, which confirms our commitment to implementing stringent controls for protecting customer data. Additionally, we hold SOC 2 certification for security and availability, an auditing standard developed by the American Institute of Certified Public Accountants (AICPA).

Secure software development

Our back-end system is developed according to robust internal security standards. For application development, we follow the best industry standard, and we provide secure development training for our developers. Every system change undergoes rigorous review and testing in a staging environment before going live.

Virta routinely performs vulnerability scans, security audits, and penetration tests. Any issues identified are analysed, with patches and countermeasures deployed quickly.

Data protection and secure communication protocols

We use secure communication protocols throughout our data chain. To mitigate QR code fraud, we’ve introduced digital QR codes displayed directly on charger screens. Equipment security is continuously updated by both manufacturers and Virta, incorporating updates in OCPP (Open Charge Point Protocol) and regulatory standards.

All customer and user data is stored exclusively within the European Union or on the European continent, hosted on Amazon AWS Cloud. Access is strictly limited to designated personnel and is granted based on professional necessity, with permissions reviewed annually. Virta collects only the personally identifiable information required to provide services and retains it only for as long as needed.

Modern infrastructure and secure payments

Our systems are built to avoid reliance on a single data center which makes them more operationally resilient. An automated deployment pipeline ensures the production environment is consistently up-to-date with the latest security patches, while continuous vulnerability scans monitor for any deviations.

In terms of payment security, Virta has implemented strict safeguards to protect sensitive financial data. All credit and debit card information is processed and stored by our PCI-DSS (Payment Card Industry Data Security Standard) certified partner, ensuring top-tier protection for user transactions.

Comprehensive incident management process

We have established protocols for notifying relevant authorities, clearly communicate with stakeholders and ensure thorough incident documentation in case of any critical incidents. With our incident response program, we’re able to understand and resolve security incidents while maintaining proper communication procedures both internally and externally.