Toyota disclosed a data breach on its cloud environment that exposed the vehicle location information of 2,150,000 customers for 10 years, between November 6, 2013, and April 17, 2023. This is almost the entire customer base who signed up for Toyota’s main cloud service platforms since 2012.
According to a security notice published in the company’s Japanese newsroom, the information had been publicly available for a decade due to human error. The data breach reportedly resulted from a database misconfiguration that allowed anyone to access its contents without a password.
The incident, which also affected customers of its luxury brand Lexus, comes as the world’s biggest automaker by sales makes a push into vehicle connectivity and cloud-based data management which are seen as crucial to offering autonomous driving and other artificial intelligence-backed features. Toyota says:
“After the discovery of this matter, we have implemented measures to block access from the outside, but we are continuing to conduct investigations, including all cloud environments managed by TC. We apologize for causing great inconvenience and concern to our customers and related parties.”
According to a Toyota spokesperson, the data could encompass details such as vehicle locations and identification numbers of vehicle devices, but there were no reports of malicious use. In response to why it took so much time to realize there had been an error, the spokesperson said:
“There was a lack of active detection mechanisms, and activities to detect the presence or absence of things that became public.”
Toyota said it would now introduce a system to audit cloud settings, establish a system to continuously monitor settings, and thoroughly educate employees on data handling rules. The Japanese automaker also said it is taking steps to block outside access to the data after the issue was discovered and an investigation into all cloud environments managed by Toyota Connected Corp was being carried out.
In October 2022, Toyota informed its customers of another lengthy data breach resulting from exposing a T-Connect customer database access key on a public GitHub repository. This enabled an unauthorized third party to access the details of 296,019 customers between December 2017 and September 15, 2022, when external unauthorized access to the GitHub repository was restricted.
Responsible for delivering local & international automotive news.