Hyundai’s India subsidiary Hyundai has fixed the flaw that exposed personal information of its customers in the South Asian market.
TechCrunch reviewed a portion of the exposed data that included the registered owner’s name, postal address, email address and phone number of Hyundai Motor India customers who had their vehicles serviced at any of the company’s authorized service stations across India. The error also revealed vehicle details, including registration number, colour, engine number and mileage.
In a phone conversation on Thursday, Hyundai Motor India spokesperson Siddhartha P Saikia said the company would make a statement. When shared via email, the statement said:
“We recognize the importance of protecting our customers’ data and hence strive to create robust systems and processes. Moreover, these systems are reviewed and updated periodically based on the needs. The repair request/invoice link is shared only on the mobile number registered by the customer, once they subscribe In receiving these updates, these are links generated by the system without any human intervention. Hyundai confirms continued efforts to protect customer interests.
Hyundai Motor India did not answer questions about whether it had the technical means, such as logs, to identify any improper access to customer records, nor did the company say whether any bad actors exploited the issue.
Security researcher Ashutosh, who preferred to remain anonymous, shared details about the simple bug with TechCrunch. The bug exposed customer personal information through web links that Hyundai Motor India shared with customers via WhatsApp after receiving their vehicles for maintenance at an authorized service station.
Web links that redirected customers to repair orders and invoices in PDF files contained the customer’s phone number. A malicious actor can expose other customers’ information by changing the phone number in the link.
TechCrunch confirmed the researcher’s findings and sent an email to Hyundai Motor India on December 29. The company responded on January 4. TechCrunch shared details of the flaw with Hyundai Motor India on the same day, and asked Hyundai Motor India to fix the flaw within seven days due to its simplicity and severity. Hyundai Motor India fixed the glitch on Thursday.
Upon receiving the company’s response, TechCrunch confirmed that the bug had been fixed, and that the links in question were no longer active – and had been redirected to a page displaying an error message.
Founded in 1996, Hyundai Motor India is among the country’s top three automakers, along with Maruti Suzuki and Tata Motors. Hyundai Motor India has a network of over 1,500 service stations in the country. In May, the automaker announced an investment of $2.45 billion (INR 200 billion) over the next 10 years in the southern Indian state of Tamil Nadu to boost its electric vehicle plans.