Toyota exposed car location data of 2 million drivers for 10 years — what you need to know

A picture of the Toyota logo on a sign
(Image credit: Shutterstock)

The Japanese car company Toyota has revealed that its cloud environment suffered a data breach that exposed the location information of its customer’s cars for a decade.

According to a new report from BleepingComputer, approximately 2.15 million Toyota customers had the location data of their cars exposed between November 6, 2013 and April 17, 2023.

In a security notice published on its Japanese site, Toyota provided more details on the data breach. The company cited a database misconfiguration that allowed anyone to access the car location data of its customers without having to enter a password.

Fortunately, the company has now fixed its cloud environment and properly secured this sensitive information using a password. However, Toyota is still conducting investigations into the matter to see if any of the exposed data was misused.

Real-time location data

red toyota prius in a driveway

(Image credit: Shutterstock)

This data breach led to location information of customers that used Toyota’s T-Connect G-Link, G-Link Lite or G-Book services between January 2, 2012 and April 17, 2023.

For those unfamiliar, T-Connect is the company’s in-car smart service that can be used for voice assistance, customer service, car status and management as well as on-road emergency help.

the Japanese auto maker also revealed that video recordings taken outside of affected cars may have been exposed during the breach

Although there is no evidence that the exposed information was misused, hackers or anyone else for that matter, could have obtained in-vehicle GPS navigation terminal ID numbers, chassis numbers and vehicle location information with time data from any of the affected vehicles.

At the same time, personally identifiable information like driver’s licenses, addresses and phone numbers weren’t exposed as a result of the breach. This means that it wouldn’t be possible to track Toyota owners using the exposed information unless an attacker knew their car’s vehicle identification number (VIN).

In a second statement on its “Toyota Connected” site, the Japanese auto maker also revealed that video recordings taken outside of affected cars may have been exposed during the breach.

Outlook: Toyota data breach

Unlike other more serious data breaches where personal information and financial details were exposed, the Toyota data breach won’t likely impact the privacy of its customers. However, the matter doesn’t look good for the company, especially since the breach occurred due to a misconfigured cloud environment.

To rectify things with affected customers, Toyota has promised that it will send individual apology notices while also setting up a dedicated call center to handle their questions and requests. It likely won’t provide free access to the best identity theft protection as information that could be used to commit fraud or identity theft wasn’t exposed.

We’ll likely hear more from Toyota once its investigation into the data breach is concluded. There’s also a fairly high chance that the company could face fines from regulators as this was a mistake on their end and not the work of hackers.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.