A cloud misconfiguration in car manufacturer Toyota’s servers may have leaked sensitive information belonging to more than two million customers.
The cloud misconfiguration meant that sensitive information for those who subscribed to Toyota services T-Connect, G-Link, G-Link Lite and/or G-BOOK between January 2, 2012 to April 17, 2023 was accessible to unauthorized parties from November 6, 2013 to April 17, 2023.
The data includes location information for impacted vehicles andthe time the vehicle was at said locations, as well as the in-vehicle terminal ID and Vehicle Identification Number (VIN).
Unauthorized parties may have also been able to access “video taken outside the vehicle with a drive recorder collected from corporate services provided [Toyota]” between November 14, 2016 and April 4, 2023.
Toyota cited an “insufficient explanation and thoroughness of data handling rules” as the reason for the cloud misconfiguration. To prevent further leaks, the company has said it will be “thoroughly educating employees and working to prevent recurrence”, as well as introducing “a system to audit cloud settings, conduct a setting survey of the cloud environment and build a system to monitor the setting status on an ongoing basis”.
Toyota has said that once the misconfiguration was discovered, processes were implemented to prevent further data leaks. The company has also said that it will be investigating all cloud environments managed by Toyota to prevent further cloud misconfigurations and leaks.
The car manufacturer will be contacting all those affected by the leaks in addition to setting up a dedicated call center to “answer questions and concerns” from customers.
Unfortunately, this is not the first time that Toyota T-Connect has been involved in a data leak.
Toyota T-Connect source code posted to GitHub
On October 7, 2022, Japanese car manufacturer Toyota issued an apology after it was discovered that third parties may have gained unauthorized access to customer details between December 2017 and September 2022.
The breach occurred because a section of the source code for T-Connect, an app which allows customers to connect their phone to their car, had been posted on source code repository GitHub in December 2017. As the source code contained an access key for the server, this may have allowed unauthorized access to customer data for five years.
Any customers who registered for the app from December 2017 to September 2022 were at risk of having their data accessed, meaning the data for a potential 296,019 customers may have been leaked. The information available included email addresses and customer management numbers. Personal or sensitive information including payment card information, name and address were not leaked.
Following a security investigation, Toyota said that while it “cannot confirm access by a third party based on the access history of the data server where the customer’s email address and customer management number are stored, at the same time [it] cannot completely deny it”.
Toyota also said that it would individually notify all those who were affected by the breach.