Hyundai's IPO documents offer rare glimpse into its cybersecurity firewall

The red herring prospectus of Hyundai Motor India Ltd (HMIL) offers a rare glimpse into the cybersecurity readiness and posture of one of India's biggest automakers, including past instances of data breaches. Any company that is going public has to exhaustively reveal all its weakpoints, past incidents and vulnerabilities under 'risk factors', and Hyundai too has revealed two instances in which customer data was stolen by hackers.

"For example, we experienced two customer data leak incidents in December 2022 and February 2023 where data of our customers was posted on the dark web. For the leak in CY2022, we performed penetration testing and successfully removed the data of our customers from the dark web. In response to the second leak in CY2023, we identified and disabled the vulnerable application programming interfaces exploited by the hackers to access customer data," the RHP said.

It also warned that keeping data safe from hackers is an ongoing priority, and any failure to do so could result in legal liability for the company.

"Although we took steps to address these vulnerabilities, there is no assurance that such measures will prevent all incidents in the future. Hackers may attempt to gain unauthorised access to, modify, alter, and use our networks, passenger vehicles, and systems to gain control of, or to change, our passenger vehicles’  functionality, customer interface, and performance characteristics, carry out computer denial of service attacks, or gain access to data stored in or generated by the cars. Vulnerabilities could be identified in the future and our remediation efforts may not be successful. Any unauthorised access to or control of our cars or their systems or any loss of data could result in legal claims or proceedings against us," it noted under 'risk factors'.

The document also provides further insight into its broader approach to data security. The company operates its own data centre, which includes a disaster recovery site that stores critical business data to ensure continuity in the event of an emergency. This infrastructure is managed by dedicated IT personnel, and the automaker has implemented a range of technical and organisational measures to safeguard its systems.

Among these measures are multi-level authentication protocols to control access to applications, regular software updates to address server vulnerabilities, and malware protection systems. Hyundai also boasts a team specifically tasked with managing vulnerabilities, who work around the clock to monitor cyber threats. Additionally, the company adheres to both national and international security standards, updating its policies and procedures regularly to reflect the evolving nature of cyber risks.

Hyundai’s approaches and experiences are not very different from those of other companies that store vast amounts of customer data, particularly in the era of connected devices and big data.