Toyota Admits Decade-Long Data Leak Affecting 2.15 Million Customers

Written by

Toyota Motor Corp acknowledged earlier today that the vehicle data of approximately 2.15 million users was publicly accessible in Japan for nearly a decade, from November 2013 to mid-April 2023.

Reuters first reported the news, specifying that according to Toyota spokesperson Hideaki Homma, the issue with Toyota’s cloud-based Connected service affects only vehicles in Japan. The service provides vehicle owners with maintenance reminders, entertainment streaming and emergency assistance. 

While no reports of issues resulting from the breach have surfaced, the compromised data includes vehicle identification numbers, location history and video footage captured by the vehicle’s drive recorder. 

Toyota claims this information cannot be used to identify individual owners. Still, approximately 2.15 million users of services like G-Link, G-Book and Connected have been affected. The company confirmed it has now fixed the system issue and assures customers that their Connect-enabled vehicles are safe to drive without requiring repairs. 

“Toyota is the latest victim of human error and the huge risks it poses for organizations,” commented Camellia Chan, CEO and founder of security software firm X-Phy

“Often, businesses make life easy for cyber-criminals by not properly configuring networks, and in this case, what should have been private cloud data became very public. A Toyota spokesperson commented that ‘there was a lack of active detection mechanisms’ to identify the mistake, so the data was exposed for almost a decade.”

Mark Stockley, a senior threat researcher at Malwarebytes, concurred with Chan, stating that the widespread adoption of cloud and NoSQL data storage has led to numerous incidents of exposed data on platforms such as Amazon S3, Elastic Search and MongoDB.

Read more on similar breaches: Medical Service Leaks 12,000 Sensitive Patient Images

“Software vendors like Amazon have worked hard to make this kind of thing more difficult, so it isn’t as easy as it once was. If a user is determined to expose their data to the Internet, however, they still can, because there are situations where they might actually want to,” Stockley added.

“To avoid accidental exposure, companies can invest in monitoring and auditing of cloud services and settings, as Toyota has said it will. Penetration testing and red team engagements can also help companies identify exposed data.”

The announcement comes months after Toyota warned that nearly 300,000 customers may have had their personal data leaked after an access key was publicly available on GitHub for almost five years.

Editorial image credit: JuliusKielaitis / Shutterstock.com

What’s hot on Infosecurity Magazine?