Cyber Incident Victim: Hyundai Saudi Arabia
Date:
Nov 2019
Location:
Saudi Arabia
Summary
Hyundai Saudi Arabia suffered a data breach where an individual hacker exfiltrated approximately 460,000 customer records containing personal and financial details, including full names, email addresses, cities, bank affiliations, monthly salaries, and phone numbers across Saudi Arabian and Iraqi customers. The attacker demanded a Bitcoin ransom in exchange for vulnerability disclosure and data deletion but was ignored after initial contact, leading to claims of persistent server access and possession of proprietary source code highlighting security deficiencies. The same threat actor later compromised additional automotive entities using similar methods, though no evidence linked the intrusion to state-sponsored activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-November 2019, an individual using the alias "DarkSly" claimed responsibility for compromising Hyundai Saudi Arabia's systems. The hacker first publicly referenced the breach through a November 13, 2019 tweet showing Hyundai Saudi Arabia's social media account blocking him after initial contact. On November 14, DarkSly tweeted details about allegedly exfiltrated data from Hyundai Saudi Arabia and Hyundai Iraq, claiming possession of approximately 460,000 customer records containing full names, email addresses, cities, bank affiliations, monthly salaries, and cellphone numbers. According to subsequent communications with DataBreaches.net, the total compromised records amounted to approximately 550,000, including 14,000 Iraqi customer records. DarkSly asserted that no passwords or credit card numbers were stored in the accessed databases. The attacker demanded a bug bounty of 1 Bitcoin to disclose vulnerabilities, fix the security flaw, and delete the stolen data, but reported being blocked by Hyundai's accounts after initial engagement attempts. DarkSly maintained continued access to Hyundai's servers as of early December 2019 and claimed possession of corporate source code, stating the company's development security appeared weak enough to enable future re-entry. The hacker threatened to release an attack video or sell the stolen data unless Hyundai responded to demands.
The incident exposed sensitive personal and financial information of customers across Saudi Arabia and Iraq, creating potential identity theft and phishing risks. Hyundai corporate entities did not provide official confirmation or public response to DarkSly's claims despite multiple contact attempts by both the hacker and journalists. Forensic analysis of the breach timeline indicated the attacker retained persistent access for at least three weeks between mid-November and early December 2019. DarkSly's methodology involved exploiting web application vulnerabilities, as evidenced by screenshots showing database access, though specific technical vectors were not detailed publicly. The hacker subsequently claimed unrelated compromises of Jaguar/LandRover systems in early December 2019 using similar techniques, though Hyundai's breach remained distinct. Security researchers noted potential connections to earlier reports attributing automotive sector attacks to Vietnamese state-linked group APT32, but DarkSly explicitly denied affiliation with any nation-state actor or organized group, self-identifying as a solo "greyhat" operator. No evidence emerged of DarkSly executing data sale or video publication threats related specifically to the Hyundai compromise within the immediate reporting period.