The Japanese car company Toyota has revealed that its cloud environment suffered a data breach that exposed the location information of its customer’s cars for a decade.
According to a new report from BleepingComputer, approximately 2.15 million Toyota customers had the location data of their cars exposed between November 6, 2013 and April 17, 2023.
In a security notice published on its Japanese site, Toyota provided more details on the data breach. The company cited a database misconfiguration that allowed anyone to access the car location data of its customers without having to enter a password.
Fortunately, the company has now fixed its cloud environment and properly secured this sensitive information using a password. However, Toyota is still conducting investigations into the matter to see if any of the exposed data was misused.
Real-time location data
This data breach led to location information of customers that used Toyota’s T-Connect G-Link, G-Link Lite or G-Book services between January 2, 2012 and April 17, 2023.
For those unfamiliar, T-Connect is the company’s in-car smart service that can be used for voice assistance, customer service, car status and management as well as on-road emergency help.
Although there is no evidence that the exposed information was misused, hackers or anyone else for that matter, could have obtained in-vehicle GPS navigation terminal ID numbers, chassis numbers and vehicle location information with time data from any of the affected vehicles.
At the same time, personally identifiable information like driver’s licenses, addresses and phone numbers weren’t exposed as a result of the breach. This means that it wouldn’t be possible to track Toyota owners using the exposed information unless an attacker knew their car’s vehicle identification number (VIN).
In a second statement on its “Toyota Connected” site, the Japanese auto maker also revealed that video recordings taken outside of affected cars may have been exposed during the breach.
Outlook: Toyota data breach
Unlike other more serious data breaches where personal information and financial details were exposed, the Toyota data breach won’t likely impact the privacy of its customers. However, the matter doesn’t look good for the company, especially since the breach occurred due to a misconfigured cloud environment.
To rectify things with affected customers, Toyota has promised that it will send individual apology notices while also setting up a dedicated call center to handle their questions and requests. It likely won’t provide free access to the best identity theft protection as information that could be used to commit fraud or identity theft wasn’t exposed.
We’ll likely hear more from Toyota once its investigation into the data breach is concluded. There’s also a fairly high chance that the company could face fines from regulators as this was a mistake on their end and not the work of hackers.