Cloud system error left Toyota customer data exposed for ten years
Toyota has revealed that information belonging to over 2 million of its customers in Japan has been open to the public since 2013. Anybody could have accessed the cloud server and downloaded the information with no restriction. And the reason for the error is so simple you will be shocked.
It’s believed that a worker at the company set the cloud system’s access to ‘public’ instead of ‘private’. The information in question is the vehicle location data and identification numbers of Toyota T-connect and G-link network users. T-connect is a free navigation app for Toyota vehicles while G-link is a service for Lexus vehicle owners that offers premium services and emergency support features.
A company spokesperson has said there is no evidence of malicious activity resulting from the exposed data and the data can not be used to identify customers.
“Customer information that may have been viewed from the outside will not identify the customer based on this data alone, even if accessed from the outside. Since the discovery of this matter, we have not confirmed any secondary use of customer information on the internet by a third party,” the spokesperson said.
The security flaw has since been fixed and the company has commissioned a thorough audit of its entire cloud infrastructure across the breadth of its global operations. The company has also sworn to “thoroughly educate” its employees to avoid a similar occurrence in the future.
Gary Cannon, transport practice commercial director at NCC Group has admitted that these kinds of errors are rare but carry grave consequences when they happen.
“It's not very common for an internal member of staff to accidentally set a cloud system to public instead of private. However, it can happen, especially if the person responsible for the cloud system is not familiar with its configuration or if they are rushing to get something done,” Cannon said. “It's important to note that setting a cloud system to public instead of private can have serious security implications, as it could expose sensitive data or services to unauthorized access.”
This is the second time user data belonging to Toyota customers has been exposed in a period of 1 year. And the reason for the previous incident was just as shocking. In October 2022, the company revealed that data belonging to almost 300,000 customers was exposed after an access key was left publicly available on GitHub for around five years.
The issue was made worse by the fact that the leaked source code included access keys to a server containing customer email addresses.
Following the event, Toyota cautioned the affected customers to stay alert as they could be targets of phishing scams.