Toyota Motor Corporation disclosed a data breach on its cloud environment that exposed the car-location information of 2,150,000 customers for ten years, between November 6, 2013, and April 17, 2023.
According to a security notice published in the company’s Japanese newsroom, the data breach resulted from a database misconfiguration that allowed anyone to access its contents without a password.
“It was discovered that part of the data that Toyota Motor Corporation entrusted to Toyota Connected Corporation to manage had been made public due to misconfiguration of the cloud environment,” reads the notice (machine translated).
“After the discovery of this matter, we have implemented measures to block access from the outside, but we are continuing to conduct investigations, including all cloud environments managed by TC. We apologize for causing great inconvenience and concern to our customers and related parties.”
This incident exposed the information of customers who used the company’s T-Connect G-Link, G-Link Lite, or G-BOOK services between January 2, 2012, and April 17, 2023.
T-Connect is Toyota’s in-car smart service for voice assistance, customer service support, car status and management, and on-road emergency help.
The information exposed in the misconfigured database includes:
While there is no evidence that the data was misused, unauthorized users could have accessed the historical data and possibly the real-time location of 2.15 million Toyota cars.
It is important to note that the exposed details do not constitute personally identifiable information, so it wouldn’t be possible to use this data leak to track individuals unless the attacker knew the VIN (vehicle identification number) of their target’s car.
A car’s VIN, also known as chassis number, is easily accessible, so someone with enough motivation and physical access to a target’s car could theoretically have exploited the decade-long data leak for location tracking.
A second Toyota statement published on the Japanese ‘Toyota Connected’ site also mentions the possibility of video recordings taken outside the vehicle having been exposed in this incident.
The exposure period for these recordings was defined between November 14, 2016, and April 4, 2023, which is nearly seven years.
Again, the exposure of these videos would not severely impact the car owners’ privacy, but this depends on the conditions, time, and location.
Toyota has promised to send individual apology notices to impacted customers and set up a dedicated call center to handle their queries and requests.
In October 2022, Toyota informed its customers of another lengthy data breach resulting from exposing a T-Connect customer database access key on a public GitHub repository.
This enabled an unauthorized third party to access the details of 296,019 customers between December 2017 and September 15, 2022, when external unauthorized access to the GitHub repository was restricted.