Hyundai Motor’s Indian unit has fixed a bug that exposed customers’ personal information in the South Asian market.
TechCrunch reviewed some of the exposed data, which included the registered names, postal addresses, email addresses and phone numbers of Hyundai Motor India customers who had their vehicles serviced at any of the company’s authorized service stations across India. The vulnerability also exposed vehicle details including license plate number, color, engine number and mileage.
Hyundai Motor India spokesperson Siddhartha P. Saikia said in a phone conversation on Thursday that the company would provide a statement. When shared via email, the statement said:
“We understand the importance of protecting customer data and therefore work hard to create strong systems and processes. Additionally, these systems are regularly reviewed and updated as necessary. Once a customer has opted in to receive such updates, the repair order/invoice link will only be available on the customer’s registered page shared on mobile phone numbers. These are system-generated links without any human involvement. Hyundai assures that it will continue to work hard to safeguard the interests of its customers.”
Hyundai Motor India did not respond to questions about whether it had technical means such as logs to identify improper access to customer records, nor did it disclose whether any bad actors had taken advantage of the issue.
Ashutosh, a security researcher who requested anonymity, shared details about this simple error with TechCrunch. The vulnerability exposed customers’ personal information through an internet link shared with them via WhatsApp after Hyundai Motor India received the vehicle at an authorized service station for repairs.
Web links that redirect customers to repair orders and invoices in PDF files contain the customer’s phone number. Malicious actors can change the phone number in the link to reveal other customers’ information.
TechCrunch confirmed the researchers’ findings and sent an email to Hyundai Motor India on December 29. The company responded on January 4. On the same day, TechCrunch shared the details of the vulnerability with Hyundai Motor India and asked Hyundai Motor India to fix the vulnerability within seven days. Its simplicity and rigor. Hyundai Motor India fixed the bug on Thursday.
After receiving a response from the company, TechCrunch confirmed that the error had been fixed and that the link in question no longer works – redirecting to the page giving the error message.
Hyundai Motor India, founded in 1996, is one of the three largest automakers in India, along with Maruti Suzuki and Tata Motors. Hyundai Motor India has a network of over 1,500 petrol stations in the country. In May, the automaker announced it would invest $2.45 billion (INR 200 billion) in the southern Indian state of Tamil Nadu over the next 10 years to support its electric vehicle plans.
