Toyota Motor Corporation has revealed a data breach on its cloud environment that exposed the car location information of 2,150,000 customers for ten years, between November 6, 2013 and April 17, 2023.

According to a security advisory published in the company’s Japanese newsroom, the data breach resulted from a database misconfiguration that allowed anyone to access its content without a password.

“It was discovered that part of the data that Toyota Motor Corporation had entrusted to Toyota Connected Corporation for management had been made public due to misconfiguration of the cloud environment,” read the note (translated automatically).

“After this matter was discovered, we implemented measures to block access from the outside, but we continue to conduct investigations, including all cloud environments managed by TC. We apologize for causing great inconvenience and concern to our customers and related parties.”

Exposed car location and videos

This incident revealed the information of customers who used the company’s T-Connect G-Link, G-Link Lite or G-BOOK services between January 2, 2012 and April 17, 2023.

T-Connect is Toyota’s in-vehicle smart service for voice assistance, customer service, car status and management, and emergency roadside assistance.

Information exposed in the misconfigured database includes:

• the identification number of the on-board GPS navigation terminal,
• the chassis number, and
• vehicle location information with time data.

Although there is no evidence that the data was misused, unauthorized users could have accessed historical data and possibly the real-time location of 2.15 million Toyota cars.

It is important to note that the exposed details do not constitute personally identifiable information, so it would not be possible to use this data leak to track individuals unless the attacker knows the VIN (Vehicle Identification Number). vehicle) of his target’s car.

A car’s VIN, also known as a chassis number, is easily accessible, so someone with enough motivation and physical access to a target’s car could theoretically have exploited the data leak. a decade for location tracking.

A Toyota’s second statement published on the Japanese site ‘Toyota Connected’ also mentions the possibility that video recordings taken outside the vehicle were exposed during this incident.

The exposure period of these recordings was defined between November 14, 2016 and April 4, 2023, i.e. almost seven years.

Again, the exposure of these videos would not seriously affect the privacy of car owners, but it depends on the conditions, time and place.

Toyota promised to send individual apology notices to affected customers and set up a dedicated call center to handle their questions and requests.

In October 2022, Toyota informed its customers of another long data breach resulting from exposing an access key to the T-Connect customer database on a public GitHub repository.

This gave an unauthorized third party access to the details of 296,019 customers between December 2017 and September 15, 2022, when unauthorized external access to the GitHub repository was restricted.