Data of more than 2M Toyota customers exposed in ten years-long data breach

A data breach disclosed by Toyota Motor Corporation exposed info of more than 2 million customers for ten years

Toyota Motor Corporation disclosed a data breach that exposed the car-location information of 2,150,000 customers between November 6, 2013, and April 17, 2023.

The data breach was caused by a database misconfiguration that was accessible to anyone without authentication.

The security breach impacted customers who used the company’s T-Connect G-Link, G-Link Lite, or G-BOOK services.

Data exposed due to the decade-long data breach includes vehicle identification numbers, chassis numbers, and vehicle location information.

“It was discovered that part of the data that Toyota Motor Corporation entrusted to Toyota Connected Corporation (hereinafter referred to as TC) to manage had been made public due to misconfiguration of the cloud environment.” reads the data breach notification published by the automaker.

The exposed data included the vehicle identification number, vehicle location information, and video footage taken from a camera installed on the car.

Toyota pointed out that the exposed information cannot be used to identify the owners of the vehicles-

“This time, customer information that may have been viewed from the outside will not identify the customer based on this data alone, even if accessed from the outside.” continues the notice. “Since the discovery of this case, we have not confirmed any secondary use of customer information on the Internet by a third party, or whether or not there are any copies remaining, regarding customer information that may have been viewed from the outside.”

Currently, the company is unaware of any abuse of the data exposed in the security breach.

In October 2022, Toyota Motor Corporation warned customers that their personal information may have been accidentally exposed after an access key was publicly available on GitHub for almost five years.

The carmaker discovered that a portion of its T-Connect site source code was mistakenly published on GitHub.

The code also contained an access key to the data server that stored customer info, such as email addresses and management numbers. The source code was leaked by a development subcontractor.

An unauthorized third party could have had access to the details of Toyota customers between December 2017 and September 15, 2022. The number of impacted customers is 296,019, the GitHub repository was restricted in September 2022 and the keys were changed.

Exposed records include customer names, credit card data, and phone numbers have not been compromised as they weren’t stored in the exposed database.

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Toyota)