Hyundai's Indian subsidiary fixed a bug that exposed the personal information of its customers in the South Asian market.
TechCrunch reviewed a portion of the exposed data which included the registered owner's name, postal address, email address and phone number of Hyundai Motor India customers who serviced their vehicles at any of the service stations. authorized offices of the company throughout India. The bug also revealed details of the vehicle including registration number, colour, engine number and mileage covered.
In a telephone conversation on Thursday, Hyundai Motor India spokesperson Siddhartha P. Saikia said the company would make a statement. When shared via email, the statement read:
“We understand the importance of safeguarding our customers' data and, accordingly, we strive to create robust systems and processes. Additionally, these systems are periodically reviewed and updated as needed. The Repair Order/Invoice link is shared only on the mobile number registered by the customer, once the customer has opted in to receive such updates. These are links generated by the system without any human involvement. “Hyundai ensures continuous efforts to safeguard customers’ interests.”
Hyundai Motor India did not answer questions about whether it had the technical means, such as logs, to determine any improper access to a customer's records, nor did it say whether any bad actors took advantage of the issue.
Security researcher Ashutosh, who preferred not to be fully identified, shared details about the simple bug with TechCrunch. The bug exposed customer's personal information through web links that Hyundai Motor India shared with customers via WhatsApp after receiving their vehicles for maintenance at an authorized service station.
Web links that redirected customers to repair orders and invoices in PDF files contained the customer's phone number. A malicious actor could expose other customers' information by changing the phone number in the link.
TechCrunch confirmed the researcher's findings and sent an email to Hyundai Motor India on December 29. The company responded on January 4. TechCrunch shared the details of the error with Hyundai Motor India on the same day and requested Hyundai Motor India to fix the error within seven days due to its simplicity and severity. Hyundai Motor India fixed the bug on Thursday.
Upon receiving the company's response, TechCrunch confirmed that the error had been fixed and that the links in question were no longer active and were redirected to a page that displayed an error message.
Founded in 1996, Hyundai Motor India is among the country's top three automobile manufacturers, along with Maruti Suzuki and Tata Motors. Hyundai Motor India has a network of over 1,500 service stations in the country. In May, the automaker announced an investment of $2.45 billion (200 billion Indian rupees) over the next 10 years in the southern Indian state of Tamil Nadu to bolster its plans for electric vehicles. .