Toyota has disclosed that for nearly a decade, a misconfigured cloud bucket was exposed to unauthorised access to the internet, putting the data of nearly 2.15 million customers at risk. The company claims that the leak only affects customers in Japan and that any access to the data wouldn’t identify individual customers. Additionally, it hasn’t seen any abuse of the leaked data from a third party at the moment.
The company hasn’t provided a rock-solid explanation as to what caused the exposure in the first place. According to its announcement, (translated into English from Japanese using Google Translate) the “main cause was insufficient explanation and thorough explanation of data handling rules”.
To counter this, the company will be educating employees and will work to prevent recurrence while also implementing a system to audit cloud settings, conducting configuration surveys of cloud environments and building a system to continuously monitor said environment’s settings.
As for the data itself, it stems from Toyota’s cloud-based Toyota Connected service and was exposed from November 11, 2003, until April 6, 2023, when the exposure was finally blocked. Leaked data includes in-vehicle device ID, vehicle location information and time as well as chassis number.
Toyota is also setting up mitigation processes and affected customers will receive an apology and notification to their registered email addresses starting May 5. The company is setting up a dedicated call centre to address customer questions and concerns. It’s also conducting investigations around all of its cloud environments to ensure data protection.
This isn’t the first data protection incident Toyota has been involved in in 2023 either. In January, Toyota was one of the over 20 car manufacturers having vulnerabilities in their API that allowed a remote attacker to unlock, start and track cars and leak owners’ personal information.
In the News: PharMerica suffered massive data breach affecting millions