Toyota Confirms Embarrassing Data Breach, 2 Million Vehicles Exposed for 10 Years

As unusual as that may sound, Toyota says it became aware of the data breach earlier this year. The company discovered that a database misconfiguration exposed the information of Japanese customers who connected to the cloud-based Connected service.

An advisory published on Toyota's Japanese website reveals that the data of 2.15 million customers has been at risk during this whole time, as anyone could access the information without a password.

While there's no evidence that someone misused the data, the company emphasizes no personal information has been exposed.

Here's everything you need to know about the data breach.

First and foremost, let's start with who was affected. Toyota says only customers in Japan were exposed, so if you live in North America or Europe, your data is still secure, no matter if you accessed the Connected service in the last decade or not.

Toyota estimates that the data of about 2.15 million people was exposed between January 2012 and April 2023. A company spokesperson says the problem lay in the way the cloud-based service was protected from external access. Because of poor security configurations, anyone could access the data without a password. The issue was spotted in April, so the servers are now properly safeguarded.

The Toyota Connected service helps customers get service reminders, determine the location of the vehicle, and receive assistance when required. As such, the cloud-based platform did not reveal personally identifiable information.

On the other hand, the Japanese carmaker confirms that the exposed database included the vehicle identification number, also referred to as VIN, as well as the location of the vehicle. In other words, a malicious actor would have been able to tell precisely where a certain vehicle was at any given time as long as they knew the VIN. However, it's important to understand that the database did not include personal details, so linking the VIN code with a certain Toyota customer wasn't possible based purely on the leaked information.

Toyota also determined that video footage recorded by cars might have also been exposed. While this could be more concerning for some customers, the company explains that only recordings taken outside the vehicle with the onboard cameras were stored on the server. This means that linking a specific recording with a VIN code and a certain customer is also unlikely.

In this case, the Japanese carmaker says the recordings were exposed for approximately seven years between November 2016 and April 2023.

The company says it's still running an internal investigation to determine if any other information might have been accessed by unauthorized individuals.

What customers should do

Since the data blunder did not include personal information (such as names, addresses, and credit card information), customers shouldn’t contact Toyota or make a service appointment. The Japanese carmaker, however, says it'll contact customers one by one to detail the breach and tell them what information was exposed.

Toyota says the affected services included G-Link, G-Book, and Connected, but all have received patches to block access without a password. As such, customers can access them normally at this point, so no further information is currently at risk.

Hackers are unlikely to be particularly interested in the data, especially because linking the exposed information with customers is hard. On the other hand, video recordings could eventually pose a privacy risk, depending on where the driver was located.

Unfortunately for Toyota, a 10-year-long data breach isn't only embarrassing but also proof the company isn't necessarily learning from its past mistakes. In late 2022, the Japanese carmaker acknowledged another similar incident that exposed the data of nearly 300,000 customers. At that point, the one to blame was a T-Connect access key, which was publicly available on GitHub for no more, no less than five years. The data was exposed between December 2017 and September 2022 after the T-Connect site source code was published on GitHub.

The code also included an access key, essentially allowing any unauthorized individual to connect to the service and obtain access to customer data. In this particular incident, Toyota exposed the email addresses and management numbers belonging to customers.

Time will tell if Toyota will pay more attention to its security practices, but for now, the only good thing is that the blunder doesn’t produce too much damage. Given the nature of the exposed data, hackers are unlikely to have leaked, copied, or misused the data in any way.

If you're still concerned about the data breach and want additional information, Toyota says Japanese customers can reach out to the company through a dedicated call center.