“Massive Data Breach: Sensitive Car Location Information of Two Million Customers Unveiled in Decade-Long Security Lapse”

Toyota Motor Corporation Discloses Data Breach Affecting Millions of Customers

IT Services has learned that Toyota Motor Corporation recently disclosed a data breach that compromised the car-location information of 2,150,000 customers for a decade. The data breach, which occurred between November 6, 2013, and April 17, 2023, was caused by a database misconfiguration that allowed anyone to access its contents without a password.

According to a security notice published in the company’s Japanese newsroom, the breach resulted from a misconfiguration in the cloud environment that Toyota Motor Corporation had entrusted to Toyota Connected Corporation to manage. The notice stated that Toyota has implemented measures to block access from the outside and is conducting investigations, including all cloud environments managed by TC. Toyota apologized for the inconvenience and concern caused to its customers and related parties.

How Did the Data Breaches on American Airlines and Southwest Airlines Compare to the Car Location Information Security Lapse?

The american and southwest airlines data breaches had different implications compared to the car location information security lapse. While the airline breaches exposed personal data of millions of customers, the car location lapse primarily affected the privacy of vehicle owners. These incidents highlight the need for robust security measures across different industries to safeguard sensitive information effectively.

Exposed Car Location and Videos

The incident exposed the information of customers who used Toyota’s T-Connect G-Link, G-Link Lite, or G-BOOK services between January 2, 2012, and April 17, 2023. T-Connect is Toyota’s in-car smart service for voice assistance, customer service support, car status and management, and on-road emergency help.

The data exposed in the misconfigured database included the in-vehicle GPS navigation terminal ID number, the chassis number, and vehicle location information with time data. While unauthorized users could have accessed the data, there is no evidence that it was misused. However, the data leak could have provided access to the historical data and possibly the real-time location of 2.15 million Toyota cars.

It is important to note that the exposed data does not constitute personally identifiable information. Therefore, it would not be possible to use this data leak to track individuals unless the attacker knew the VIN (vehicle identification number) of their target’s car. A car’s VIN, also known as the chassis number, is easily accessible, so someone with enough motivation and physical access to a target’s car could theoretically have exploited the decade-long data leak for location tracking.

Furthermore, a second Toyota statement published on the Japanese ‘Toyota Connected’ site mentions that video recordings taken outside the vehicle may have been exposed in this incident. The exposure period for these recordings was defined between November 14, 2016, and April 4, 2023, which is nearly seven years. However, the exposure of these videos would not significantly impact the car owners’ privacy, but this depends on the conditions, time, and location.

Toyota has promised to send individual apology notices to impacted customers and set up a dedicated call center to handle their queries and requests.

In October 2022, Toyota informed its customers of another lengthy data breach resulting from exposing a T-Connect customer database access key on a public GitHub repository. This enabled an unauthorized third party to access the details of 296,019 customers between December 2017 and September 15, 2022, when external unauthorized access to the GitHub repository was restricted.