Toyota Exposed Auto Location of 2M Japanese Customers – Source: www.govinfosecurity.com

Cloud Security
,
Incident & Breach Response
,
Security Operations

Undetected Cloud Misconfiguration Exposed Vehicle Information for Over Ten Years

Jayant Chakravarti (@JayJay_Tech) •
May 12, 2023    

Toyota on Friday disclosed that it exposed online for a decade car location data belonging to more than two million Japanese customers.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources

The company said human error caused a cloud misconfiguration in subsidiary Toyota Connected Corporation that exposed data including vehicle location, times of day and vehicle ID number. The subsidiary, which manages the carmaker’s remote assistance and smartphone connection offerings, additionally said outsiders additionally may have been able to access video taken outside the vehicle with an onboard recorder.

The location data was exposed online from November 2013 through mid-April while the video was hosted insecurely between November 2015 and early April.

The data by itself cannot be used to identify individual car owners, Toyota said. The carmaker also said it found no evidence that an outside party accessed the data. The exposure affects 2.15 million users of Toyota’s T-Connect service and the similar Lexus G-Link service.

The incident comes just months after Toyota said a subcontractor accidently uploaded onto a public GitHub repository source code for T-Connect containing an access key to a data server holding nearly 300,000 email addresses. Toyoyta collected affected emails starting in December 2017. It discovered the public repository in on Sept. 15, 2022, making it private that day and changing the access key two days later.

Toyota’s Italian distributor in March also said customers’ phone numbers and email addresses were exposed for more than 18 months through an instance of Salesforce Marketing Cloud. The data exposure enabled third parties to “access phone numbers and email addresses, customer tracking information, and email, SMS, and push-notification contents” (see: Breach Roundup: Lumen, QNAP, NCB and Toyota Italy).