Toyota finds more servers have been leaking customer data

An abstract image of a magnifying glass over a digital cloud.
(Image credit: Shutterstock/Illus_man)

Toyota has found another misconfigured database holding sensitive customer information that anyone who knew where to look, would be able to access.

In a statement, Toyota said that it found the new breach having implemented tighter data security controls put in place after a separate misconfigured database was discovered earlier this year containing sensitive information on more than two million customers, and thought to have been sitting unsecured for roughly a decade. 

Details on 260,000 car owners were contained in this newly discovered batch, including in-vehicle device identifiers and mapping data displayed in the car’s navigation system. Given that it’s pseudonymous, it’s almost impossible to connect it to actual people, without additional data from a separate source.

Toyota customer breach

Most of the affected customers were said to be in Japan, however, with an undisclosed number residing elsewhere in Asia and Oceania. Some of these customers have had information such as names, postal addresses, and email addresses exposed, as well as Toyota-issued customer ID numbers and vehicle registration/ID numbers. 

The affected customers bought their Toyotas from December 2007 onward, with the data being exposed between February 2015 and May 2023.

While this is definitely a dangerous slip-up, there seems to be good news - Toyota claims there’s no evidence anyone found the database before it did, as the data shows no exfiltration attempts. The company did not elaborate on which methods it used to determine this. 

So far, the carmaker isn’t responding to media inquiries, TechCrunch says, but it did issue an apology and said it would contact all of the affected customers with a separate apology. We don’t know if it will offer a year of identity theft and credit monitoring service, as is standard practice in such scenarios.

Via: TechCrunch

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.