Posted on May 15, 2023 at 2:16 PM
Toyota discloses data breach that exposed car location data and video recordings
Toyota Motor Corporation has disclosed a data breach on its systems. The automaker confirmed that the breach happened in its cloud environment, and it exposed car-location data belonging to more than 2 million customers. The breach lasted for ten years, with the hackers being able to exfiltrate information from the automaker.
Toyota discloses data breach that exposed car location data
The breach in question happened between November 6, 2013, and April 17, 2023. For a decade, hackers infiltrated the company’s cloud network and accessed the car location data belonging to 2,150,000 customers.
Toyota published a security notice advisory on the breach, saying that the data breach was caused by a database misconfiguration that enabled anyone to access the contents without needing a password. The exposure left the affected customers vulnerable to their car location data being tracked by anyone with malicious intent.
The notice read that “It was discovered that part of the data that Toyota Motor Corporation entrusted to Toyota Connected Corporation to manage had been made public due to misconfiguration of the cloud environment.”
The data remained exposed for a decade. However, the company said that after it detected the matter, it took measures to ensure that there was no further access to the information by external parties. The company also added that it was still conducting investigations into the matter, including the cloud environments that are managed by the Toyota Corporation.
The automaker has also sent an apology to the affected users “for causing great inconvenience.” According to the company, the matter triggered much concern from its customers and other related stakeholders.
Data breach exposed car location data and videos
This data breach incident exposed the information belonging to customers that have previously used the T-Connect G-Link Lite or the G-BOOK services at the company. The breach exposed those who used these services between January 2, 2012, and April 17, 2023.
T-Connect is a smart feature on Toyota vehicles. The in-car smart service is used for a wide range of functions, including voice assistance, customer service support, car status and management, and on-road emergency help. The breach led to a wide range of information fed into this system being exposed.
Those who gained unauthorized access to the misconfigured database could view a variety of details about a Toyota vehicle, including the chassis number, the in-vehicle GPS navigation terminal ID number, and the vehicle location information that includes time data.
There is no evidence showing that the stolen data went to the hands of malicious threat actors or that it was misused. However, the breach was substantial, given that an unauthorized user with access could have obtained access to the historical data and even the real-time location of over two million Toyota vehicles.
While the breach is in itself significant and has the potential to cause significant damage, it is important to note that the exposed details do not amount to personally identifiable information. Therefore, it would not be possible for this data to be used in a leak to track individuals. The only likelihood that exists for this information to be exploited is if the attacker also had access to the vehicle identification number (VIN) of the target’s vehicle.
The VIN or a vehicle, also known as the chassis number, can be easily accessed. Therefore, any threat actor that is motivated enough and has physical access to the target’s car might have accessed this number. Such a threat actor could have exploited the data breach for location tracking.
The Toyota Connected platform also released another statement saying that there was a likelihood that video recordings taken outside the vehicle might have been exposed in the incident. The period of exposure for the recordings is around seven years, between November 14, 2016, and April 4, 2023.
However, the exposure of the video did not pause a significant risk to the privacy of the car owner, but it was dependent on the conditions, location, and time. Toyota has said that it will send apology alerts to the affected customers and have a dedicated support line for them to handle any inquiries.
It is not the first time that Toyota has reported a data breach. In October last year, the automaker informed its customers of another breach that led to the exposure of a T-Connect customer database access key on the public GitHub repository. The breach allowed unauthorized access to the data of 296,019 customers between December 2017 and September 15, 2022.