Japanese automaker Toyota Motors Corporation has discovered another data leak from a Toyota Connected (TC) cloud misconfiguration.
Toyota discovered the leak two weeks after investigating another breach that exposed 2.15 million customers for over a decade due to a misconfigured bucket.
In a new data breach notification, Toyota said it investigated all TC cloud environments and identified another batch of exposed data that was potentially accessible externally due to a misconfiguration of the cloud.
Another Toyota data leak exposed over 260,000 customers
The automaker disclosed that the cloud misconfiguration exposed 260,000 car owners in Japan between February 9, 2015, and May 12, 2023.
The cloud misconfiguration faux pas leaked car navigation data, including in-vehicle device ID, map data updates, and updated data creation dates for Japanese car owners. However, the exposed data does not contain location information and could not identify the affected individuals or compromise internal car systems.
Customers who subscribed to the G-BOOK navigation system (G-BOOK mX or G-BOOK mX pro) and some on G-Link/G-Link Lite who updated their Maps between February 9, 2015, and March 31, 2022, were affected.
The data leak also affected the Lexus sub-division, which includes models such as LS, GS, HS, IS, ISF, ISC, LFA, SC, CT, and RX.
Toyota has fixed the cloud misconfiguration and has no evidence of “any secondary use” or availability of the leaked data on the Internet. Additionally, the automaker noted that data entries were regularly automatically deleted, thus limiting the amount of information exposed at any given time. The data leak also did not include vehicle location or credit card information, and the company had no evidence of secondary damage.
Meanwhile, the Japanese carmaker said it would notify customers using their enrolled email addresses in a separate apology.
Toyota cloud misconfiguration leaked overseas customer data
Toyota also confirmed that an unknown number of customers outside of Japan, specifically in Asia and Oceania, were impacted. The potential leak included name, phone number, email address, address, customer ID, vehicle identification number (VIN), and vehicle registration number.
According to the concluded investigation, that personal information was exposed between October 2016 and May 2023.
The automaker promised to address the incident under each victim’s applicable data protection laws.
“We will deal with the case in each country in accordance with the personal information protection laws and related regulations of each country,” the carmaker said.
Meanwhile, Toyota attributed the cloud misconfiguration to “insufficient dissemination and enforcement of data handling rules,” adding “since the last announcement, we have implemented a system to monitor cloud configurations.”
Apologizing to customers and all relevant parties, Toyota said a system went into operation to check the settings of all cloud environments on “an ongoing basis” to prevent similar incidents. Additionally, the carmaker would continue “thoroughly educating” its staff to prevent a recurrence.
“In addition, we will work closely again with TC to explain and thoroughly enforce the rules for data handling,” Toyota said.
The previous cloud misconfiguration data leak disclosed last month exposed in-vehicle terminal ID, chassis number, vehicle location information, and time.
Jason Kent, Cequence Security’s Hacker in Residence, criticized Toyota for failing to protect customers’ data after introducing a subscription-based model.
“But what are we getting for this subscription cost?” He asked. “Well, it turns out we get a risk of having our data exposed to the world and having would-be attackers get access to some pretty interesting information. The type of data exposed could lead to additional problems.”
Toyota discovered a second #cloud misconfiguration #dataleak that exposed 260,000 domestic and international customers' in-vehicle data and personal information for over eight years. #cybersecurity #respectdataClick to TweetAlthough the leaked in-vehicle data was not readily exploitable, Kent warned that hackers could obtain additional information to compromise the victims: “Since we can get the VIN and the information about the owner, it’s possible to pull the window sticker, and it isn’t hard to imagine the scams that might follow.”
