In this Article
The Incident
Hyundai reported that it first became aware of the incident on March 1, 2025, having determined that unauthorized access to its information-technology environment began as early as February 22 and persisted until at least March 2. The company immediately launched a forensic investigation with outside cybersecurity experts and notified law-enforcement.
According to a submission to the California Department of Justice’s Office of the Attorney General, the breach window is precisely listed as February 22 to March 2, 2025.
What Was Exposed
While Hyundai has not provided an exact total number of impacted individuals, it supports connected-car and enhanced IT services integrated across some 2.7 million vehicles.
According to Massachusetts state filings and other reporting, the compromised information may include names, Social Security numbers and driver’s license numbers for at least some individuals.
What the Attorney General Filings Add
The California submission (SB24-613730) from Huyndai AEA confirms the dates of unauthorized activity and serves as a public record of the incident. It also signals that breach-notification obligations have been met: companies that notify more than 500 Californian residents must submit copies of notice letters, which HAEA has done.
The Company’s Response
In its notification letter, HAEA states it “took steps to terminate the unauthorized third party’s access … engaged third-party cybersecurity specialists … and continues to invest in additional security enhancements designed to mitigate future risk,”
As a precaution, affected individuals are being offered two years of complimentary credit-monitoring and identity-protection services through a third-party provider. The letter advises: “You have 90 days from the date of this letter to activate this free credit-monitoring service by using the following enrollment code.”
For questions or concerns, HAEA provides a contact number: 855-720-3727.
What Owners Should Do
Given the nature of the exposed data (especially SSNs or driver’s licenses), standard remediation such as resetting a password is not sufficient. Experts recommend taking the following steps:
- Monitor bank and credit-card statements for unusual transactions.
- Set up or enable multi-factor authentication (MFA) wherever available.
- Be especially cautious about emails or texts impersonating Hyundai/Kia/Genesis — fraudsters may attempt to exploit the breach.
- Use only official channels (brand websites, dealership portals) for communication; avoid clicking on unsolicited links.
- Consider placing a fraud alert or credit freeze on your credit report if you notice suspicious activity.
Broader Implications
In the current era of connected vehicles and cloud-driven mobility services, automakers and their IT branches are no longer simply building cars — they also manage vast repositories of personal and telemetry data. The HAEA breach underscores how the automotive industry itself has become a target for cyber-criminals.
Given the nature of the data compromised, the attack surface is no longer limited to the vehicle: it spans the digital services behind the vehicle. For consumers, the incident highlights that purchasing a car today comes with additional risk-vectors tied to how the vehicle and its manufacturer collect, store and protect data.
HAEA’s public filings and the involvement of state attorney general frameworks indicate rising regulatory attention to such breaches. The fact that formal notifications have been submitted to multiple states also points to potential legal exposure for the company.
If your personal data may have been exposed in the Hyundai AutoEver America incident, there are steps you can take to protect yourself. Each state offers resources to help residents report and prevent identity theft.
Start with the Federal Trade Commission (FTC), which provides free recovery plans and advice at consumer.ftc.gov/idtheft or by phone at (877) ID-THEFT (438-4338).
District of Columbia residents can get tips or file a complaint with the D.C. Attorney General’s Office at (202) 727-3400 or visit oag.dc.gov.
Iowa residents should report suspected identity theft to local law enforcement or contact the Iowa Attorney General’s Consumer Protection Division at (515) 281-5926 or iowaattorneygeneral.gov.
Maryland residents can get help from the Maryland Attorney General’s Consumer Protection Division at (888) 743-0023 or marylandattorneygeneral.gov.
New York residents can find information from the NY Attorney General’s Office at (800) 771-7755 (ag.ny.gov) or the Department of State’s Consumer Protection Division at (800) 697-1220 (dos.ny.gov).
North Carolina residents can learn more or file a report with the NC Department of Justice, led by Attorney General Jeff Jackson, at (877) 566-7226 or ncdoj.gov.
Rhode Island residents can contact law enforcement or the Rhode Island Attorney General’s Office at (401) 274-4400 or visit riag.ri.gov.
If you have placed a credit freeze with a credit bureau, remember that you’ll need your PIN or password to lift or remove it. Keep that information stored securely.