In the past few months, Hyundai AutoEver America, a division of Hyundai Motor Group, has confirmed a recent data breach that exposed sensitive personal information after hackers infiltrated its internal IT environment earlier this year, revealing a recent data breach.
A company spokesperson told me that unauthorized access to the company's computer systems began on February 22, 2025 and went undetected until March 2, giving intruders nine days to access confidential data.
The early breach notices didn't specify how many people were affected, but according to state regulatory disclosures as well as a subsequent statement issued to Kelley Blue Book, approximately 2,000 people—out of the over 2.7 million users HAEA serves across Hyundai, Kia, and Genesis platforms—were impacted. There have been a number of compromises of the data, including names, Social Security numbers, and driving license information.
In response to the suspicious activity, HAEA contacted an external cybersecurity expert who conducted an investigation, contained the intrusion, and informed law enforcement. As officials continue to assess the full scope of the incident, officials have begun issuing formal notices to those whose information was possibly exposed.
It was only in the months that followed that it became increasingly clearer and more troubling just what the breach's consequences and the broader risks associated with connected vehicles were in the future.
Even though Hyundai AutoEver America eventually acknowledged that the incident could have affected as many as 2.7 million Hyundai, Kia, and Genesis owners, internal assessments and state filings later narrowed the directly affected group to merely 2,000 individuals, yet the sensitive nature of the data involved makes even this smaller number quite significant.
A nine-day intrusion that took place between February 22 and March 2, 2025, revealed the names, addresses, phone numbers, driver’s license numbers, and Social Security numbers of several automobile manufacturers, revealing to intruders a full range of data and details that underpinned core digital services across the automaker’s brands during that period.
Among privacy experts, there is no doubt that what has caused concern is not just the scope of information but also that it has taken seven months for customers to be informed about the incident, a timeframe that gave the possibility for stolen identities to be misused or combined with other data circulating from other breaches.
Hyundai is also experiencing a growing pattern of security breaches since 2023, which reinforces concerns that these are not isolated incidents but rather signs of deeper structural problems.
As the episode illustrates, modern cars—once purely mechanical devices—now act as sophisticated data hubs, collecting everything from passengers’ financial details to route histories, biometric inputs, driving behaviour, and even information synced from their mobile devices, which is not visible to the driver.
Manufacturers are expanding their digital ecosystems and the breach has raised questions about the industry's ability to safeguard the vast and intimate data it collects on a regular basis.
Immediately following the intrusion, Hyundai AutoEver America made an effort to reassure its customers by offering two years of complimentary identity theft and credit monitoring services through Epiq as a gesture of goodwill.
In spite of this, security analysts note that such measures are rarely sufficient to relieve customers after sensitive information has been stolen.
Additionally, Hyundai Motor Europe’s disclosure also brought back memories of a similar experience it suffered just a year earlier when it was attacked by a ransomware gang called Black Basta, which claimed to have taken over 3TB of internal files before appearing dormant in early 2025, when the company lost control of its operations.
All in all, these incidents emphasize one more uncomfortable reality: automakers now harvest and manage far greater amounts of personal information than most drivers are aware of.
Besides the information required for financing or registration of vehicles, companies routinely collect (and in some cases monetize) data regarding the locations of their customers, their driving habits, the biometric patterns they use, and even behavioral patterns that can help them infer consumers' preferences with a remarkable degree of accuracy.
Following a complaint made by General Motors that it had shared driver data with third-parties to the point of being able to obtain their information from them, the Federal Trade Commission issued a five-year ban on the practice. In July, a U.S. Senate inquiry raised concerns about other manufacturers continuing the same data-sharing practices.
The HAEA notified the California Attorney General of the incident by notifying them that they had enlisted cybersecurity experts to determine the scope of the breach and confirm that the intrusion had been contained, even though investigators were unable to determine if the information was exfiltrated. Those affected customers have been given 90 days to enroll in monitoring services, and a hotline has also been established to assist customers.
As Hyundai AutoEver asserts, only a small number of users have been directly impacted by this incident, but the incident has ignited a wider industry debate over precisely how well automakers secure the ever-increasing amount of personal data embedded in most connected vehicles today.
After Hyundai AutoEver America found out that a wide range of sensitive data points had been exposed as part of this breach, including a number of customer names, government-issued identification numbers, and passwords, it confirmed that the investigation of the technical footprint was continuing.
Among the records that were compromised, according to notification letters sent to the individuals affected, were Social Security numbers and driver's license information, with each recipient receiving a customized breakdown of which data elements applied to them in the initial notification.
In order to conduct the analysis in a comprehensive way, extensive forensic work and collaboration with external cybersecurity specialists were necessary.
These specialists helped Hyundai AutoEver reconstruct the intrusion, assess database exposure, and determine which users needed formal notification. Hyundai AutoEver said it immediately terminated the intruder's access and implemented additional safeguards and was continuing to implement a comprehensive remediation program that was intended to prevent similar incidents in the future.
Consequently, Epiq Privacy Solutions has been contacted by the company to offer complimentary two-year credit monitoring and identity protection services to impacted customers, which will include three-bureau monitoring and fraud detection tools, as well as a 90-day enrollment period. It should be noted that these protections are only a layer of protection, however, according to security experts.
As a precautionary measure, they advise their customers to review financial statements, to check their credit reports, and to place fraud alerts or credit freezes with the major credit bureaus to reduce the risk of unauthorized account openings.
In addition, this incident has brought about renewed discussions about digital hygiene for vehicle owners, ranging from updating passwords and enabling multifactor authentication on connected car applications to avoiding stored payment information in the infotainment system.
There are a number of cybercrime analysts who note that incidents of this nature often open the door to secondary scams, as cybercriminals impersonate automakers' support teams in order to steal more personal information from car owners through pages pretending to be account verifications and security updates.
These developments have been identified by industry observers as part of a dramatic shift in the way in which cars now collect far more information than most drivers are aware of. These include location histories, biometric identifiers, behavioral patterns, and synced mobile data, to name a few.
The results of this study indicate that consumers should adopt strong cybersecurity practices, including using reputable antivirus software, staying current on device updates, and thinking about data-removal solutions that will reduce exposure to data-broker websites as a result of data misuse.
Several automakers have been affected by this new trend; the Federal Trade Commission imposed a five-year ban on General Motors' ability to sell data on drivers earlier this year.
Additionally, a Senate investigation has raised concerns about similar practices in other automakers, including Hyundai, as well.
In spite of Hyundai AutoEver's assertion that only a relatively small number of its customers were directly affected by this breach, the incident has brought to light questions about the effectiveness with which carmakers are safeguarding the growing amounts of data embedded in connected cars, as well as what consumers should do in the rapidly growing digital world in order to protect themselves from the threat of fraud.
It is clear from the Hyundai AutoEver breach that the automobile industry needs to rethink how it approaches data security in an increasingly interconnected digital age, where vehicles become increasingly interconnected digital ecosystems. It is important to note that meaningful protection depends both on stronger corporate safeguards as well as on proactive vigilance on the part of drivers in light of increased regulatory oversight and consumers' increasing awareness of how their information is being used.
It is vital that consumers play an important role in reducing future risks by practicing stricter digital hygiene, minimizing unnecessary data sharing, and demanding that automakers communicate their information more clearly, in order to ensure that the convenience of connected cars does not come at the expense of their individual privacy rights.
