A data breach affecting the world’s largest car manufacturer, Toyota, has led to the data of over 2 million customers over 10 years being revealed.
The Japanese car company revealed that the data breach led to the car-location information of 2.15 million customers being revealed, spanning almost 10 years, starting 6 November 2013 to 17 April 2023.
According to a release on Toyota’s website, translated by Google, the incident occurred on the car company’s cloud environment due to a misconfigured database.
“It was discovered that part of the data that Toyota Motor Corporation entrusted to Toyota Connected Corporation (hereinafter referred to as TC) to manage had been made public due to misconfiguration of the cloud environment,” the release said, translated from Japanese.
The breach led to the data of customers who had used Toyota’s in-car smart service T-Connect, which helps with voice assistance, customer service support, on-road emergency help and more.
Users of T-Connect G-Link, G-Link Lite, or G-BOOK between 2 January 2012 and 17 April 2023 have had information exposed.
Data included vehicle location information and time data, in-vehicle GPS navigation terminal ID number and the chassis number.
Toyota also said that video recordings taken outside vehicles could also be at risk, from a period starting 15 November 2016 to 4 April 2023.
None of the data is considered personally identifiable information, meaning no customers are believed to be at risk of criminals tracking down a user’s car, as they would be difficult to track without knowing a target vehicle’s VIN.
The company has said that it has “not confirmed any secondary use of customer information on the internet by a third party, or whether or not there are any copies remaining, regarding customer information that may have been viewed from the outside”.
“Other secondary damage has not been confirmed, but we will continue to promote the implementation of recurrence prevention measures to further strengthen the management system for handling personal information,” it said.
Toyota has said it is making a number of changes to prevent incidents like this from occurring again.
“After the discovery of this matter, we have implemented measures to block access from the outside, but we are continuing to conduct investigations, including all cloud environments managed by TC, and regarding the incidents that have been identified as of today,” it said.
“We will let you know. We apologise for causing great inconvenience and concern to our customers and related parties.”
Toyota has also said that it will be sending out individual apologies and emails to affected customers and will set up a dedicated call centre to allow those needing support to ask questions and raise concerns.
Only earlier this year, Toyota suffered another long-term data breach, with Toyota Italy having accidentally revealed sensitive data for one and a half years by exposing credentials to its Salesforce Marketing Cloud.
– Cyber Security Connect