Heimdal
article featured image

Contents:

Toyota Motor Corporation issued a notice on the company’s Japanese newsroom disclosing a data breach of ten years. A database misconfiguration in its cloud environment leads to exposing of the car-location data of 2,150,000 customers.

Details from the Data Breach Notice

The misconfiguration allowed unauthorized people to access the database without needing a password.  The data breach exposed information between November 6, 2013, and April 17, 2023.

It was discovered that part of the data that Toyota Motor Corporation entrusted to Toyota Connected Corporation to manage had been made public due to misconfiguration of the cloud environment.

Source

The organization took security measures to close the access to the database and the investigations continue.

After the discovery of this matter, we have implemented measures to block access from the outside, but we are continuing to conduct investigations, including all cloud environments managed by TC. We apologize for causing great inconvenience and concern to our customers and related parties.

Source

What Data Was Exposed

The victims were people using Toyota’s T-Connect G-Link, G-Link Lite, or G-BOOK services between January 2, 2012, and April 17, 2023. T-Connect is a smart service by Toyota cars that provides voice assistance, customer service support, car status and management data, and emergency help.

The misconfigured database revealed the following data:

  • the chassis number
  • the in-vehicle GPS navigation terminal ID number
  • the vehicle’s location and time data

Until now there is no sign that the leaked data was used in a malicious way. However, hackers could have seen the real-time location of 2.15 million vehicles.

Another good news is that the exposed data do not contain any personally identifiable information. So cybercriminals can’t use it to track people. But this could change if a threat actor finds out the VIN (vehicle identification number) of a victim’s car.

A car’s VIN, also known as chassis number, is easily accessible, so someone with enough motivation and physical access to a target’s car could theoretically have exploited the decade-long data leak for location tracking.

Source

Video Leaks

The organization also mentioned the possibility of video leaks linked to this data breach. Video recordings from outside the cars, taken between November 14, 2016, and April 4, 2023, might have been exposed.

This nearly seven years data leak can impact the owners only if a hacker uses them in a larger attack.

Toyota has promised to send individual apology notices to impacted customers and set up a dedicated call center to handle their queries and requests.

Source

This is not the first security incident impacting Toyota. In October 2022, a security problem exposed the data of 296,019 customers after putting an open GitHub repository’s T-Connect customer database access key online. The breach lengthened between December 2017 and September 15, 2022, when illegal access to the GitHub repository from the outside was prohibited.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE