Hyundai Data Breach May Have Leaked Drivers' Personal Information

According to Car and Driver, Hyundai has suffered a data breach that leaked the personal data of up to 2.7 million customers. The leak reportedly took place in February from Hyundai AutoEver, the company's IT affiliate. It includes customer names, driver's license numbers, and social security numbers. Longtime Slashdot reader sinij writes: Thanks to tracking modules plaguing most modern cars, that data likely includes the times and locations of customers' vehicles. These repeated breaches make it clear that, unlike smartphone manufacturers that are inherently tech companies, car manufacturers collecting your data are going to keep getting breached and leaking it.

of course the question not asked: why?

[argStyopa]

We know that cached data will leak, eventually.
So why keep so much data?

(We know the answer, because they can sell it.)

I fully understand that details of people's driving habits absolutely can usefully inform car design. No issue. But it could be anonymized at a quite low level.

Ultimately until the penalties for data loss exceed their value to the firms (not just car companies) literally farming us for data, this won't ever stop.

Re:

[Vlad_the_Inhaler]

I'm wondering how this plays out in the EU. Are they even permitted to collect all this data (obviously SSNs don't apply there) and what happens if they have a breach? I'm pretty sure the VAG group (VW, Audi, Skoda, maybe SEAT as well) had a breach a year or two ago but I don't know what was stolen and what the consequences were.

Re:

[JaredOfEuropa]

"It includes customer names, driver's license numbers, and social security numbers"
I'm wondering why they collected this data in the first place. Well, name and address, sure. But the rest? Maybe it is needed for car insurance and auto loans, but aren't those usually handled by partners?

BTW most (maybe all) countries in the EU have SSNs, even if they are called something else. (Here it's a "citizen service number"). But you generally don't give that to companies..

Re:

[Anne Thwacks]

Until the penalties for data loss exceed the value OF the firms (not just car companies)

FTFY

Re:

[sabbede]

So, dissolve Hyundai and 130,000 people lose their jobs because a criminal managed to break into a database? Would you call for so draconian a response if someone had broken in and stolen a filing cabinet?

Hyundai was the victim of a digital burglary, and you want them punished a second time?

Re:

[Anne Thwacks]

dissolve Hyundai and 130,000 people lose their jobs because a criminal managed to break into a database?

No. Because the company collected the data in the first place. "In a database" is a place where criminals are likely to devote enormous resources to stealing it, and which they are unlikely to be able to protect adequately. On top of which, exactly 0 customers want their details to be stored.

Re:

[b0s0z0ku]

Maybe the data shouldn't be collected in the first place ... fine them or break them up "pour encourager les autres."

Re:

[necro81]

+1 Insightful.

(No mod points today, alas, so proxy comment is all I've got.)

Re:

[sabbede]

Well, the only reason I can think of that they would have SSNs would be that the breached database held information about financing. Data they need to retain for practical and compliance purposes, not data harvesting.

Re:

[argStyopa]

Ultimately /. will need to block Chinese ragebater ACs just to keep the smegma out of the comments.

Re:

[argStyopa]

Great example of the comment smegma I was talking about!

May have?

[Monoman]

Why say "may have" when the articles clearly state the data included name, SSN, and driver's license number? I'm pretty sure that counts as personal data without question.

Also, why link to the C&D article that adds little or nothing of value to the sourced Forbe's article - https://www.forbes.com/sites/l... [forbes.com] ?

Re:

[AmiMoJo]

What feature would necessitate the owner giving them their driving licence details? All I needed for mine was an email address and the car's VIN.

Re:

[sabbede]

I was wondering the same thing about SSNs when it hit me. They got the financing database. That's the only time an auto manufacturer needs a customer's SSN - when they're financing the car with a loan from the manufacturer. Also, dealerships run a customer's license to make sure they can drive the car off the lot, and that may also be collected as part of the loan verification process.

Re:

[AmiMoJo]

Ah yes, for loans. But really that data should have been kept separate, and deleted as soon as no longer needed. If this happened to anyone in a GDPR country, that will be a factor because there is an obligation to do that kind of thing as a matter of course.

Re:

[93 Escort Wagon]

What feature would necessitate the owner giving them their driving licence details?

Did you test drive the car before the purchase? If so, did they let you drive it off the lot without recording enough personal info to be able to identify and find you, if you decided not to return their vehicle?

Re:

[AmiMoJo]

I did test drive it, but that's the dealer, not the manufacturer. Due to GDPR they wouldn't be able to share it with the manufacturer, or retain it for longer than a few months (for speeding tickets etc to come in).

They could break the rules, but if it then leaked or I found out somehow, they would be in it pretty deep.

Re:

[93 Escort Wagon]

Oh, see, there's your problem right there - you appear to live in a country with a sane government.

Re:

[AmiMoJo]

It was sane, post Brexit anything is possible.

Re:

[b0s0z0ku]

Make a copy of the license, return it or shred it when the car gets returned.

Re: May have?

[easyTree]

They may allegedly have said 'may have' because their lawyers may may be more effective than their tech might appear to be to someone not in on the scam.

Therefore the truth may be qualified with words which apparent to diminish it. Standard modern word-weaselry.

Re:

[Monoman]

Yep. Forbe's lawyers may have bigger balls than C&D's lawyers.

Re:

[aRTeeNLCH]

Perhaps someone who recently got a secondhand Hyundai may not have been in the system, so such drivers potentially got left behind due to lack of thoroughness on the Hyundai subsidiary. Surely they feel sorry about the omission and will strive to do better next time...

Old car for the win

[quonset]

I have a 2010 Hyundai. None of this garbage is in my car. I turn the key, it starts. No waiting for a computer to boot up and grant me permission to drive or being tracked and, in this case, my information stolen.

And it's a stick shift.

KISS is dead.

Re:

[sinij]

You will have hard time finding anything like that in 2026 model year. Even economy cars today have data links via built-in cell modems.

Re:

[thegarbz]

KISS is dead.

Yeah so are the people who applied it. Died in a car accident easily preventable by advanced intelligent driving systems.

I'm all for an anti-tracking rant, but the reality is simple cars are the most dangerous. There's a reason it's effectively mandatory to have forward facing range finding systems in all cars in Europe these days along with the computers that are able to process that data.

And it's a stick shift.

Uah, that sounds needlessly complex. You have a gearbox? Why not just have a motor spin the wheels directly like a mode

Re:

[b0s0z0ku]

I'm all for danger ... better to have privacy than perfect safety, cowards. Not like the world is underpopulated.

Popular mod - disconnect cars

[sinij]

A new type of mods now gain popularity - bypass harnesses for data collection modules (DCM). Typically disconnecting cell antenna is not enough, as test showed that connection is possible when driving close to cell towers. In most cars these DCMs can be simply unplugged or disconnected via a fuse, but sometime manufacturers integrate other functionality to make it harder to cleanly disable.

A shameful example is Toyota, that to opt out of data brokerage requires declining the Master Data Consent that turns of all connected and some local features.For example, they disable key fob remote start feature if you opt out or disable DCM. The key fob has no internet functionality, it is local radio signal.

Another shameful example is GM attempting to void warranty [caranddriver.com] if you disconnect your car. This is unlikely to be legal due to Magnusonâ"Moss. The do so if the car fails to connect to Toyota's servers in the 60 day window.

Re:

[Voyager529]

A new type of mods now gain popularity - bypass harnesses for data collection modules (DCM).

Your ideas are intriguing and I wish to subscribe to your newsletter. ...no seriously, if these things exist, I would be super interested in knowing where to get one.

Re: Popular mod - disconnect cars

[easyTree]

Someone should start a website allowing car buyers the option to be pre-warned about the level of exploitation they'll experience for each make and model of car.

It's literally going to be a public service so should be government funded :-)

Re:

[Voyager529]

Someone should start a website allowing car buyers the option to be pre-warned about the level of exploitation they'll experience for each make and model of car.

Mozilla did this....and unfortunately, it's worse than useless.

Strictly speaking, Toyota's privacy policy is pretty liberal in terms of what is involved, and has been for years...and that's what their rating is based on. And, credit to Toyota, their "we can do whatever we want and you can't sue us" policy goes pretty far back, so Mozilla ranked my 1999 Camry as pretty not-privacy-centric. That's useless, because it got the same ranking as a 2024 Tesla Model S.

Now, regardless of what the paperwork says, the

Re: Popular mod - disconnect cars

[easyTree]

Perhaps there's an incentive for manufacturers to detail how they're exploiting customers but I'm not aware of it - perhaps one day when openness is valued above profit-resulting-from-obscurity?

I suppose if, instead of issuing free-floating (essentially-)PDF contracts, manufacturers registered their contract terms with a system of some sort (trying to avoid the old-think 'centralised' but some system which is universally reachable) in a common language, it could be data-mined by anyone to extract new insigh

Re: Popular mod - disconnect cars

[devslash0]

Another mod I did in my car was to download the firmware running my in-built screen UI and modify it to remove annoyances, then flash the modded version back.

I had to do some reverse engineering and signature patching but it was worth it.

The only downside is that I've got to reflash the original software before my annual MOT checks and then back to the modded version later, otherwise MOT would fail, but that's it.

Re:

[sinij]

They are trying to lock it down with automotive linux [automotivelinux.org] where according to my understanding unsigned firmware won't run.

Yet another reason for GDPR on steroids

[Inglix the Mad]

We have to make it extremely unpleasant for companies to collect large amounts of unnecessary data.

Re:

[sabbede]

What makes you think it was unnecessary? What if this was a finance database storing details of people who took out auto loans? They'd need to retain all that data for collections and compliance.

Software maintainance issue

[Big Hairy Gorilla]

We read frequently about various cloud connected appliances, vacuum cleaners, "smart" speakers, thermostats, for instance, that manufacturers decide to pull the plug on the back end. They just issue a memo that as of some date, your appliance won't work anymore.

What happens in 5 years to all the cloud connected cars?

Ummm... Hi, this is Hyundai, we lost our last human programmer to vibe coding and we dont know how yet to fix your cloud backend, because we're a car company, not a nerd farm, so we're shutting it down next April.

Sorry. Your car don't work no more. Boo hoo for you?

Re:

[sinij]

What happens in 5 years to all the cloud connected cars?

Disabling of functionality and continuation of data collection.

The mass-adoption of automotive spyware started around 2019 (OnStar existed long prior to that) where a combination of cheap cell modems and bulk contracts with telecoms allowed it happen. This was sold as over-the-air updates, but really it was always-connected car that collects all your driving data. Most cars were sold with 5 or 10 year "free" plans where integration with various apps and similar IoShit features were bundled in with the car

Re:

[Big Hairy Gorilla]

Thanks for ruining my day.
Yeah, that sounds about right.
We'll continue to take what we want, but you don't get to roll your windows up or down, sorry, read the Terms of Service.
signed,
Scared to buy a new car.

Re:

[sinij]

See how difficult it is to disable. Some make it very difficult by integrating it into the dash screen, others have it as a separate module that can be removed without any ill effects. Plus, I know Subaru, if you call and insist, will send remote kill command to your data collection module.

Re:

[b0s0z0ku]

Sun's getting VERY active recently. Can one hope for a Carrington Event, Part Deux?

Re:

[PPH]

And yet, I can still get parts to maintain my 46 year old truck. Still stocked at the local parts store. So I'm going to keep driving that, polluting stink bomb that it is.

\o/

[easyTree]

If a company wanted to sell customer details to the less reputable members of society - even less-reputable then data-brokers, how might that look from the outside?

Asking for a friend :P

Does it really matter anymore?

[blahbooboo2]

All our personal information has already been leaked. Lock your credit lines is all you can do and just keep an eye on your personal matters.
Otherwise, this ship has sailed a long time ago.

A good secret is known by two people

[FeelGood314]

And you know where you buried the other person

If you store data or share it, you are at risk of losing that data. The more you share it and the more places you store it the more likely your secrets won't stay secret.
This is how I started my cryptography course at IBM.
These companies are storing your data and they don't care if it is leaked. They have been told what I said above, they took minimal precautions not to lose it. They took no precautions to scrub personal data. The data has some value