Japanese auto giant Toyota stored sensitive data on millions of vehicles exposed on the internet for a decade, available for anyone who knew where to look, the company has confirmed.
In a security notice published on the company’s newsroom website, the information about the location of 2.15 million Toyota owners was sitting in an unprotected cloud database between November 6, 2013, and April 17, 2023.
"It was discovered that part of the data that Toyota Motor Corporation entrusted to Toyota Connected Corporation to manage had been made public due to misconfiguration of the cloud environment," a translation of the notice reads.
"After the discovery of this matter, we have implemented measures to block access from the outside, but we are continuing to conduct investigations, including all cloud environments managed by TC. We apologize for causing great inconvenience and concern to our customers and related parties."
It seems that Toyota kept an unprotected database of customers using its T-Connect G-Link, G-Link Lite, and G-BOOK, its car infotainment system used for things like voice assistance, customer service, car status and management, and similar. The data exposed included in-vehicle GPS navigation and terminal ID number, chassis number, as well as vehicle location and time data.
The silver lining is that the data is pseudonymous, so unless the attackers knew the vehicle identification number (VIN) of their target’s car, it was impossible to connect the data with the users. Still, people with physical access to Toyota cars could obtain this number relatively easily.
Toyota also said there’s a possibility that video recordings taken outside the vehicles, were also exposed in the incident. These recordings were being made for almost seven years (November 2016 - April 2023).
- These are the best firewalls right now