Toyota Motor Corporation recently revealed a significant data breach on its cloud environment, exposing the car-location information of approximately 2.15 million customers over a ten-year period.
The breach occurred between November 6, 2013, and April 17, 2023, due to a misconfiguration in the company’s database.
A security notice published in Toyota’s Japanese newsroom explained that the misconfiguration allowed unrestricted access to the database contents without requiring a password.
The notice stated that the breached data was part of the information entrusted to Toyota Connected Corporation for management.
The data breach compromised the car-location details of customers who utilized Toyota’s T-Connect G-Link, G-Link Lite, or G-BOOK services between January 2, 2012, and April 17, 2023.
T-Connect is a comprehensive in-car smart service offered by Toyota, providing features such as voice assistance, customer service support, car status and management, and on-road emergency assistance.
The misconfigured database exposed several pieces of information, including the following:
Although the exposed details do not include personally identifiable information, it is worth noting that the data leak alone cannot be used to track individuals unless the attacker possesses the vehicle identification number (VIN) of a target car.
VINs, also known as chassis numbers, are relatively accessible, meaning an attacker with sufficient motivation and physical access to a target’s car could potentially exploit the decade-long data leak for location tracking purposes.
A separate statement released by Toyota on the ‘Toyota Connected’ website mentioned the potential exposure of video recordings captured outside the vehicle.
This incident involved a period spanning nearly seven years, from November 14, 2016, to April 4, 2023. While the impact on car owners’ privacy due to the exposed videos may vary depending on the conditions, time, and location, it is important to note that the disclosure of these recordings is not expected to significantly compromise their privacy.
Toyota has expressed its apologies for any inconvenience and concern caused to its customers and related parties. The company has taken immediate measures to block external access following the breach’s discovery.
Additionally, Toyota plans to individually notify affected customers and establish a dedicated call center to handle any inquiries or requests they may have. This proactive approach aims to address customer concerns and provide necessary support.
In October 2022, Toyota had already informed its customers about another data breach incident related to the exposure of a T-Connect customer database access key on a public GitHub repository.
During that breach, unauthorized access occurred between December 2017 and September 15, 2022, affecting the details of 296,019 customers. The unauthorized third party gained access to the GitHub repository, prompting Toyota to restrict external unauthorized access to prevent further breaches.
Explore the top 5 best Microsoft Intune alternatives, comparing key features, user reviews, and capabilities…
Discover the top 7 smartphones of 2024 with best security features, offering privacy, performance, and…
Discover the top 11 log management tools for efficient system management and monitoring. Learn about…
Explore the top 5 threat intelligence tools, their features, and how they enhance cybersecurity against…
Explore the top 5 best PAM Tools, market trends, and expert insights to secure the…
Explore the top solutions for Apple Device Management including to iOS Device Management and macOS…