Cyber Incident Victim: Hyundai Motor Company

On or around April 11, 2023, Hyundai, the multinational automotive manufacturer, disclosed a data breach impacting car owners and individuals who had booked test drives in France and Italy. The company confirmed that unauthorized actors, described as hackers, had gained access to a database containing personal information. Hyundai engaged its IT experts in response to the incident. These experts took the impacted systems offline as a containment measure. The systems were planned to remain offline until additional security measures could be implemented to prevent further unauthorized access. The company did not specify the duration of the network intrusion prior to its detection, nor did it detail the exact methods used by the attackers to compromise the database.

The scope of the breach was confirmed to be limited to the personal data of individuals in France and Italy. The types of data exposed included email addresses, physical addresses, telephone numbers, and vehicle chassis numbers. Hyundai's disclosure, as shared in a sample notice, specifically clarified that the hacker did not access or steal financial data or identification numbers. The exact number of individuals impacted by this incident was not disclosed by the company in the immediate aftermath. It also remained unclear if customers in other European countries, beyond France and Italy, were affected.

As part of its response, Hyundai formally notified data protection authorities in both France and Italy about the security incident, in compliance with regional data breach notification laws. The company also began directly communicating with the affected car owners and test drive registrants. The communication to customers in Italy, from Hyundai Italia, served as a warning about potential secondary attacks stemming from the data exposure. The letter stated that although there was no evidence the stolen data had been used for fraudulent purposes at the time of the notification, customers should exercise extreme caution.

Hyundai advised its customers to be vigilant against unsolicited emails, physical mail, and SMS texts that might appear to originate from Hyundai Italia or other entities within the Hyundai Group. The company warned that these communications could be phishing and social engineering attempts by threat actors leveraging the recently exposed personal information to appear more credible. The same warning and advice were extended to affected customers in France through a corresponding communication from the local entity.

This data breach was not an isolated cybersecurity incident for Hyundai in the early months of 2023. Just two months prior, in February 2023, the company had to roll out emergency software updates for several of its car models. These updates addressed a security vulnerability that was being exploited by thieves. The exploit involved a simple USB cable connection that could be used to bypass the vehicle's security systems and steal the car. Earlier, in December 2022, security researchers had discovered bugs in the official Hyundai app. These vulnerabilities allowed remote attackers to unlock and start various impacted vehicle models. The same app bugs also had the potential to expose car owner information, creating a separate data exposure risk prior to the April breach. The recurrence of these issues highlighted a pattern of cybersecurity challenges facing the automotive manufacturer and its connected systems. The April 2023 incident specifically underscored the risk to customer data stored in corporate databases, separate from the vulnerabilities found in the physical vehicles and their associated applications.