Cloud Security , Incident & Breach Response , Security Operations

Toyota Exposed Auto Location of 2M Japanese Customers

Undetected Cloud Misconfiguration Exposed Vehicle Information for Over Ten Years
Toyota Exposed Auto Location of 2M Japanese Customers
Image: Shutterstock

Toyota on Friday disclosed that it exposed online for a decade car location data belonging to more than two million Japanese customers.

See Also: How ACV Auctions Uses Cyera to Control Sensitive Cloud Data Exposure

The company said human error caused a cloud misconfiguration in subsidiary Toyota Connected Corporation that exposed data including vehicle location, times of day and vehicle ID number. The subsidiary, which manages the carmaker's remote assistance and smartphone connection offerings, additionally said outsiders additionally may have been able to access video taken outside the vehicle with an onboard recorder.

The location data was exposed online from November 2013 through mid-April while the video was hosted insecurely between November 2015 and early April.

The data by itself cannot be used to identify individual car owners, Toyota said. The carmaker also said it found no evidence that an outside party accessed the data. The exposure affects 2.15 million users of Toyota's T-Connect service and the similar Lexus G-Link service.

The incident comes just months after Toyota said a subcontractor accidently uploaded onto a public GitHub repository source code for T-Connect containing an access key to a data server holding nearly 300,000 email addresses. Toyoyta collected affected emails starting in December 2017. It discovered the public repository in on Sept. 15, 2022, making it private that day and changing the access key two days later.

Toyota's Italian distributor in March also said customers' phone numbers and email addresses were exposed for more than 18 months through an instance of Salesforce Marketing Cloud. The data exposure enabled third parties to "access phone numbers and email addresses, customer tracking information, and email, SMS, and push-notification contents" (see: Breach Roundup: Lumen, QNAP, NCB and Toyota Italy).


About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.