Hyundai, Kia, And Genesis Suffer Massive Customer Data Breach

Despite constant assurances from the industry that cybersecurity is everyone’s top priority, there’s been another massive data breach. This time it affects the personal data of up to 2.7 million Hyundai Motor Group customers — potentially encompassing addresses, phone numbers, driver’s licenses, and even Social Security numbers.

Hyundai AutoEver America (HAEA), which handles the automaker’s information technology department, has reportedly been compromised. Sadly, this means that Kia and Genesis customers have been similarly impacted. HAEA has stated that it has hired forensic experts to deal with the issue and is likewise working with law enforcement.

According to TechRadar, notification letters began being sent out to customers late in October. However, the attack reportedly took place between February 22nd and March 2nd of 2025 — when Hyundai AutoEver America claimed to have blocked access to the company’s network.

From TechRadar:

The letter did not say who the attackers were, what kind of information they obtained, or how many people were affected.

However, a filing with the Massachusetts Office of Consumer Affairs and Business Regulation states that the attackers took people’s names, Social Security Numbers (SSNs), and driver’s licenses.

At the same time, BleepingComputer reports the company services 2.7 million cars which, in (superficial) theory, could be the number of people potentially affected by this attack. HAEA has around 5,000 employees, but it is unclear if they are affected by this incident, as well.

By cross-referencing the stolen data with information from other stolen databases, cybercriminals can create more complete victim profiles and then reach out with highly personalized phishing emails which could trick them into sharing passwords, making wire transactions, and similar.

The corporate solution was boilerplate and admittedly unconvincing. Hyundai claims it has added extra security to its network while bringing in third-party experts and law enforcement. This has been the play for all automakers suffering from cyberattacks, yet the problem only seems to have gotten worse as more corporate data has been digitized.

Hyundai even suffered back-to-back data breaches in Europe in 2023 and 2024. The lessons learned from those incidents apparently failed to stick or help customers in the United States.

I’m not sure we should even be surprised by data breaches and ransomware attacks anymore. The fact that most automakers already sell your data to third parties for profit makes your personal information inherently vulnerable, even without criminal ransomware or other cyberattacks being an issue.

We’re likewise concerned about why it took Hyundai so long to notify the 2.7 million customers that are believed to be involved in the latest data breach. Hyundai AutoEver America was aware of the incident by March. Was it simply unaware of the scope of the breach until recently or did its legal team spend the last several months trying to figure out how to tell Hyundai customers that their personal information might have been compromised? Something feels a little off about the timeline.

The automaker is hoping to make amends by offering two years of free identity theft and credit monitoring to impacted customers via Epiq. Hilariously, Epiq also suffered a ransomware attack back in 2020. At the time, the company said it was working with third-party experts and law enforcement to solve the problem.

[Images: Hyundai Motor Group]

Become a TTAC insider. Get the latest news, features, TTAC takes, and everything else that gets to the truth about cars first by  subscribing to our newsletter.