Toyota Data Breach Exposes Car Location Information of 2.15 Million Customers

Toyota Motor Corporation recently revealed a significant data breach on its cloud environment, exposing the car-location information of approximately 2.15 million customers over a ten-year period.

The breach occurred between November 6, 2013, and April 17, 2023, due to a misconfiguration in the company’s database.

A security notice published in Toyota’s Japanese newsroom explained that the misconfiguration allowed unrestricted access to the database contents without requiring a password.

The notice stated that the breached data was part of the information entrusted to Toyota Connected Corporation for management.

Exposed Information and Services

The data breach compromised the car-location details of customers who utilized Toyota’s T-Connect G-Link, G-Link Lite, or G-BOOK services between January 2, 2012, and April 17, 2023.

T-Connect is a comprehensive in-car smart service offered by Toyota, providing features such as voice assistance, customer service support, car status and management, and on-road emergency assistance.

Details of the Exposed Data

The misconfigured database exposed several pieces of information, including the following:

1. In-vehicle GPS navigation terminal ID number
2. Chassis number
3. Vehicle location information with time data

Although the exposed details do not include personally identifiable information, it is worth noting that the data leak alone cannot be used to track individuals unless the attacker possesses the vehicle identification number (VIN) of a target car.

VINs, also known as chassis numbers, are relatively accessible, meaning an attacker with sufficient motivation and physical access to a target’s car could potentially exploit the decade-long data leak for location tracking purposes.

Possible Exposure of Video Recordings

A separate statement released by Toyota on the ‘Toyota Connected’ website mentioned the potential exposure of video recordings captured outside the vehicle.

This incident involved a period spanning nearly seven years, from November 14, 2016, to April 4, 2023. While the impact on car owners’ privacy due to the exposed videos may vary depending on the conditions, time, and location, it is important to note that the disclosure of these recordings is not expected to significantly compromise their privacy.

Toyota’s Response and Customer Support

Toyota has expressed its apologies for any inconvenience and concern caused to its customers and related parties. The company has taken immediate measures to block external access following the breach’s discovery.

Additionally, Toyota plans to individually notify affected customers and establish a dedicated call center to handle any inquiries or requests they may have. This proactive approach aims to address customer concerns and provide necessary support.

Previous Data Breach Incident

In October 2022, Toyota had already informed its customers about another data breach incident related to the exposure of a T-Connect customer database access key on a public GitHub repository.

During that breach, unauthorized access occurred between December 2017 and September 15, 2022, affecting the details of 296,019 customers. The unauthorized third party gained access to the GitHub repository, prompting Toyota to restrict external unauthorized access to prevent further breaches.