Hyundai’s Indian subsidiary has fixed a bug that exposed the personal details of its customers in the South Asian market.
TechCrunch reviewed a portion of the exposed data that included the registered owner name, postal address, email address and phone number of Hyundai Motor India customers who have had their vehicles serviced at any of the company’s authorized service stations across the country. India. The bug also revealed details of the vehicle, including registration number, colour, engine number and kilometers covered.
In a telephone conversation on Thursday, Hyundai Motor India spokesman Siddhartha P. Saikia said the company would provide a statement. When shared via email, the statement said:
“We understand the importance of protecting our customers’ data and therefore strive to establish robust systems and processes. In addition, these systems are periodically reviewed and updated as needed. The Repair Order/Invoice link is shared only to the customer’s registered mobile number after opting in to receive such updates. These are system generated links without human input. Hyundai assures continuous efforts to safeguard the interests of customers.”
Hyundai Motor India did not respond to questions about whether it had the technical means, such as logs, to identify any improper access to a customer’s files, nor would the company say whether any bad actors exploited the issue.
Security researcher Ashutosh, who preferred not to be fully named, shared the details of the simple bug with TechCrunch. The bug exposed the customer’s personal information through web links that Hyundai Motor India shared with customers via WhatsApp after taking their vehicles for service at an authorized service station.
Web links that redirected customers to repair orders and invoices in PDF files contained the customer’s phone number. A malicious actor could expose the information of other customers by changing the phone number in the link.
TechCrunch confirmed the researcher’s findings and emailed Hyundai Motor India on December 29. The company responded on January 4. TechCrunch shared the details of the bug with Hyundai Motor India on the same day and asked Hyundai Motor India to fix the bug within seven days due to its simplicity and severity. Hyundai Motor India corrected the error on Thursday.
Upon receiving the company’s response, TechCrunch confirmed that the bug had been fixed and the relevant links were no longer active — they redirected to a page that gave an error message.
Founded in 1996, Hyundai Motor India is among the top three automakers in the country, along with Maruti Suzuki and Tata Motors. Hyundai Motor India has a network of more than 1,500 petrol stations in the country. In May, the automaker announced an investment of $2.45 billion (200 billion Indian rupees) over the next 10 years in the southern Indian state of Tamil Nadu to boost its plans for electric vehicles.
