Automotive manufacturer Hyundai has recently disclosed a breach that has affected an unspecified number of Italian and French car owners as well as individuals who booked a test drive.
The company notified affected individuals via email. Several of them posted a screenshot of the message on Twitter earlier this week.
“I am sorry to inform you that our company has recently learned that an unauthorized third party has had access to some information contained in our customer database,” reads the mail (translated from Italian by Infosecurity journalists). “As soon as we were informed of the incident, we immediately launched an investigation and put in place all measures to contain it.”
The company added that it also blocked the affected server and removed it from its network.
Data impacted by the breach included contact information (such as email, addresses and phone numbers) and vehicle data (such as chassis numbers).
Read more on breaches affecting automotive firms: US Car Giant General Motors Hit by Cyber-Attack Exposing Car Owners’ Personal Info
Commenting on the breach, Brad Freeman, director of technology at SenseOn, said that since the leaked data was limited to test drive bookings and some vehicle serial numbers, this suggests the breach may have been from a non-core website.
“The sheer number of websites and services managed by a complex international business like Hyundai is staggering, and it’s possible that one of these sites may not have had the company’s standard security controls applied,” Freeman added.
Days after the data breach was disclosed, various security researchers revealed on Twitter new flaws in Hyundai mobile apps that exposed different car models after 2012 to remote attacks allowing vehicles to be unlocked and started.
“As modern vehicles become increasingly electronic-based products, they are both more connected and more software-driven,” explained Approov CEO, Ted Miracco. “These trends make all automotive companies much more vulnerable to cyberattacks, particularly those emanating from mobile apps or devices.”
Case in point, UK car dealer Arnold Clark notified customers in February that their data was stolen in a breach that took place in December 2022.
Editorial image credit: Valeriya Zankovych / Shutterstock.com