The automotive industry, once synonymous with innovation on the road, is now facing a reckoning on the data highway. In a stark reminder of the perils of connected vehicles, Hyundai has disclosed a massive data breach that potentially compromised the Social Security numbers of up to 2.7 million customers. This incident not only heightens identity theft risks but also amplifies ongoing privacy concerns, mirroring the recent California Privacy Protection Agency (CPPA) settlement against Honda for violations of the California Consumer Privacy Act (CCPA). As cars evolve into rolling data centers, these events underscore the urgent need for robust safeguards in an era of vehicle-to-everything (V2X) communication.
Hyundai’s Breach: A Nine-Day Intrusion with Lasting Fallout
Hyundai AutoEver America, a key IT subsidiary of the Hyundai Motor Group, fell victim to cybercriminals who infiltrated its systems from February to March 2025. The breach, detected in early March, allowed hackers to access sensitive personal information—including full names, driver’s license numbers, and Social Security numbers—for approximately 2.7 million current and former vehicle owners across the United States. While initial reports suggested a smaller scope affecting around 2,000 Hyundai, Kia, and Genesis owners, the full disclosure revealed the staggering scale, with the company notifying affected individuals 242 days after eviction efforts began.
It took Hyundai’s security team nine days to fully remove the intruders, a delay that experts attribute to the complexity of the attack vector—likely exploiting unpatched vulnerabilities in third-party software or phishing lures targeting IT staff. The exposed data, stored in Hyundai’s customer service and warranty databases, now poses severe risks: identity theft, fraudulent loans, and even vehicle tampering via connected infotainment systems. In response, Hyundai has offered free credit monitoring services and is cooperating with federal authorities, but the damage may linger for years.
Compounding the crisis, a class-action lawsuit was swiftly filed against Hyundai America, alleging negligence in data protection and failure to timely notify victims. Plaintiffs claim the breach stems from inadequate encryption and multi-factor authentication, practices that could have mitigated the intrusion’s impact.
Honda’s Privacy Settlement: A Cautionary Tale of CCPA Enforcement
Just months earlier, in March 2025, Honda made headlines for a different but equally telling privacy misstep. The CPPA levied a $632,500 fine against American Honda Motor Co. in its first major enforcement action under the CCPA, accusing the automaker of unlawfully demanding excessive personal information from consumers attempting to exercise their privacy rights. Specifically, Honda required sensitive details like full Social Security numbers and precise addresses—to verify deletion requests for vehicle data, far beyond what was necessary under the law.
The settlement, which Honda accepted without admitting wrongdoing, mandates sweeping changes: streamlined verification processes, enhanced employee training on CCPA compliance, and biennial privacy audits. It also highlights Honda’s role in the burgeoning connected car ecosystem, where telemetry from Acura and Honda models feeds into analytics platforms, raising questions about data minimization and consent. A separate class-action probe, launched in May 2025, alleges Honda transmitted granular driving behavior data—such as speed, braking patterns, and location history—to third-party firms like LexisNexis Risk Solutions without adequate disclosure, potentially violating federal wiretap laws and state privacy statutes.
Interconnected Risks: From Breaches to Broader Automotive Privacy Crises
The Hyundai breach and Honda settlement are not isolated; they reflect systemic vulnerabilities in the auto sector’s data practices. Connected vehicles generate terabytes of personal data daily, from navigation habits to biometric scans via keyless entry. Breaches like Hyundai’s provide hackers with a treasure trove for identity crimes, while lax verification—like Honda’s—erodes consumer trust and invites regulatory scrutiny. Together, they fuel a litigation surge: Over 50 privacy suits against automakers in 2025 alone, per industry trackers, with settlements totaling more than $50 million.
Experts warn that as electric and autonomous vehicles proliferate, so do attack surfaces. IoT integrations in infotainment and ADAS (advanced driver-assistance systems) mirror the education sector’s woes, where unsecured devices enable lateral movement to sensitive databases. For consumers, this means heightened exposure to doxxing, insurance discrimination based on driving data, and even ransomware locking out vehicle functions remotely.
Steering Toward Safer Data Practices: Recommendations for the Road Ahead
To navigate these hazards, automakers must adopt zero-trust architectures, encrypting data at rest and in transit while implementing AI-driven threat detection. Consumers should demand transparent privacy policies, opt for privacy-focused models, and monitor credit reports vigilantly—especially post-breach. Regulators like the CPPA and FTC are ramping up oversight, with proposed rules for vehicle data akin to GDPR’s extraterritorial reach.
Hyundai and Honda’s stumbles serve as pivotal lessons: Innovation without ironclad privacy is a recipe for recalls of trust. As the industry accelerates toward smarter mobility, prioritizing data security will determine who leads the pack—and who gets left in the dust.
