Japanese car giant Toyota has warned that nearly 300,000 customers may have had their personal data leaked after an access key was publicly available on GitHub for almost five years.
In a statement on its website, Toyota said that the email addresses and customer control numbers of 296,019 people who have used T-Connect, a telematics service that connects vehicles via a network, since July 2017, were exposed.
The firm added that while there is no evidence that the data was accessed by a third party following an analysis of the access history of the data server, it “could not be completely ruled out.”
The car manufacturer assured customers that “there is no possibility of the leakage of names, telephone numbers, credit cards and other information such as the ‘T-Connect’ service itself.” Additionally, the data of users of the ‘G-Link/G-Link Lite’ and ‘MyTOYOTA/My TOYOTA+’ apps for Lexus vehicles was not affected as this is stored in a separate place.
The leak was caused by part of the source code of the T-Connect site being mistakenly uploaded to GitHub by a website development contractor, remaining on the site for almost five years from December 2017 to September 15, 2022. This source code contained the access key to the T-Connect data server, which provided access to users’ email addresses and customer control numbers.
Toyota said that upon discovery, it immediately took action to make the source code private, “and on September 17, we took measures such as changing the access key of the data server, and no secondary damage has been confirmed.”
The company warned affected customers to be vigilant of potential phishing emails that may arise from the leak. It advised them not to open any emails where they do not recognize the sender and to “be careful when accessing the URL address described in the email.”
Toyota’s announcement follows a number of recent cases of source code theft, which exposes affected organizations to significant security risks. These include the tech giant Intel, password management firm LastPass and gaming developer Rockstar Games.
Commenting on the story, Jordan Schroeder, managing CISO at Barrier Networks, said: “These types of secure development errors plague organizations today, and it is their customers that pay the price after attackers discover the error and compromise systems and data.
"Organizations must get better at source code control and management of secrets, like access keys, because there is a strong possibility this data has already been accessed by attackers and Toyota might never know for sure.”
In March 2022, Toyota was forced to halt production at all of its plants in Japan after a ransomware attack on a key supplier.