A
cloud
misconfiguration
in
car
manufacturer
Toyota’s
servers
may
have
leaked
sensitive
information
belonging
to
more
than
two
million
customers.
The
cloud
misconfiguration
meant
that
sensitive
information
for
those
who
subscribed
to
Toyota
services
T-Connect,
G-Link,
G-Link
Lite
and/or
G-BOOK
between
January
2,
2012
to
April
17,
2023
was
accessible
to
unauthorized
parties
from
November
6,
2013
to
April
17,
2023.
The
data
includes
location
information
for
impacted
vehicles
andthe
time
the
vehicle
was
at
said
locations,
as
well
as
the
in-vehicle
terminal
ID
and
Vehicle
Identification
Number
(VIN).
Unauthorized
parties
may
have
also
been
able
to
access
“video
taken
outside
the
vehicle
with
a
drive
recorder
collected
from
corporate
services
provided
[Toyota]”
between
November
14,
2016
and
April
4,
2023.
Toyota
cited
an
“insufficient
explanation
and
thoroughness
of
data
handling
rules”
as
the
reason
for
the
cloud
misconfiguration.
To
prevent
further
leaks,
the
company
has
said
it
will
be
“thoroughly
educating
employees
and
working
to
prevent
recurrence”,
as
well
as
introducing
“a
system
to
audit
cloud
settings,
conduct
a
setting
survey
of
the
cloud
environment
and
build
a
system
to
monitor
the
setting
status
on
an
ongoing
basis”.
Toyota
has
said
that
once
the
misconfiguration
was
discovered,
processes
were
implemented
to
prevent
further
data
leaks.
The
company
has
also
said
that
it
will
be
investigating
all
cloud
environments
managed
by
Toyota
to
prevent
further
cloud
misconfigurations
and
leaks.
The
car
manufacturer
will
be
contacting
all
those
affected
by
the
leaks
in
addition
to
setting
up
a
dedicated
call
center
to
“answer
questions
and
concerns”
from
customers.
Unfortunately,
this
is
not
the
first
time
that
Toyota
T-Connect
has
been
involved
in
a
data
leak.
Toyota
T-Connect
source
code
posted
to
GitHub
On
October
7,
2022,
Japanese
car
manufacturer
Toyota
issued
an
apology
after
it
was
discovered
that
third
parties
may
have
gained
unauthorized
access
to
customer
details
between
December
2017
and
September
2022.
The
breach
occurred
because
a
section
of
the
source
code
for
T-Connect,
an
app
which
allows
customers
to
connect
their
phone
to
their
car,
had
been
posted
on
source
code
repository
GitHub
in
December
2017.
As
the
source
code
contained
an
access
key
for
the
server,
this
may
have
allowed
unauthorized
access
to
customer
data
for
five
years.
Any
customers
who
registered
for
the
app
from
December
2017
to
September
2022
were
at
risk
of
having
their
data
accessed,
meaning
the
data
for
a
potential
296,019
customers
may
have
been
leaked.
The
information
available
included
email
addresses
and
customer
management
numbers.
Personal
or
sensitive
information
including
payment
card
information,
name
and
address
were
not
leaked.
Following
a
security
investigation,
Toyota
said
that
while
it
“cannot
confirm
access
by
a
third
party
based
on
the
access
history
of
the
data
server
where
the
customer’s
email
address
and
customer
management
number
are
stored,
at
the
same
time
[it]
cannot
completely
deny
it”.
Toyota
also
said
that
it
would
individually
notify
all
those
who
were
affected
by
the
breach.
About Author
