Hyundai’s Indian branch has successfully resolved a glitch that exposed sensitive personal information of its customers in the South Asian market.
TechCrunch conducted a thorough review of the exposed data, which included registered names, mailing addresses, email addresses, and phone numbers of Hyundai Motor India customers who had utilized the company’s authorized service stations across India. Along with this, the bug revealed vehicle specifications such as registration number, color, engine number, and mileage.
In a phone interview on Thursday, Hyundai Motor India spokesperson Siddhartha P. Saikia stated that the company would provide a statement. When asked via email, the statement read:
“We are highly aware of the importance of safeguarding our customers’ data and continually strive to implement robust systems and processes. These systems are regularly reviewed and updated as necessary. The link for Repair Orders/Invoices is only shared with the customer’s registered mobile number after they have opted in to receive such updates. These links are system-generated without any human involvement. Hyundai assures its commitment to protecting the interests of its customers.”
Hyundai Motor India did not respond to inquiries regarding whether they had the technical capabilities, such as logs, to track any unauthorized access to customer records. Additionally, the company did not confirm if any malicious actors had taken advantage of the glitch.
Security researcher Ashutosh (who wished to remain anonymous), shared details of the bug with TechCrunch. The bug allowed access to the customer’s personal information through web links that Hyundai Motor India shared via WhatsApp, following vehicle servicing at an authorized service station.
The web links directed customers to PDF files containing repair orders and invoices, which included the customer’s phone number. By altering the phone number in the link, a malicious actor could potentially access the personal information of other customers.
TechCrunch verified the researcher’s findings and contacted Hyundai Motor India on December 29. The company responded on January 4th. On the same day, TechCrunch shared details of the bug with Hyundai Motor India and requested they resolve the issue within seven days due to its simplicity and severity. The bug was successfully resolved by Hyundai Motor India on Thursday.
Upon receiving confirmation of the fix, TechCrunch confirmed that the links in question were no longer active and redirected to an error message page.
Hyundai Motor India was established in 1996 and is currently one of the top three car manufacturers in the country, alongside Maruti Suzuki and Tata Motors. With a network of over 1,500 service stations, in May the company announced an investment of $2.45 billion (200 billion Indian rupees) in the southern Indian state of Tamil Nadu to support its plans for electric vehicles.