Toyota Motor Corporation has discovered two additional misconfigured cloud services that leaked car owners’ personal information for over seven years.
This finding came after the Japanese carmaker conducted a thorough investigation on all cloud environments managed by Toyota Connected Corporation after previously discovering a misconfigured server that exposed the location data of over 2 million customers for ten years.
“We conducted an investigation for all cloud environments managed by TOYOTA Connected Corporation (TC), It was discovered that a part of the data containing customer information had been potentially accessible externally,” reads the new Toyota notice.
The first cloud service exposed the personal information of Toyota customers in Asia and Oceania between October 2016 and May 2023.
The database, which should have only been accessible to dealers and service providers, was publicly exposed, leaking the following customer information:
- Phone number
- Email address
- Customer ID
- Vehicle registration number
- Vehicle Identification Number (VIN)
The Japanese carmaker has not clarified how many customers were impacted by this leak.
The second cloud instance was exposed between February 9th, 2015, and May 12th, 2023, and contained less sensitive data related to cars’ navigation systems. This data includes the in-vehicle device ID (navigation terminal), map data updates, and data creation dates (no vehicle location data) of approximately 260,000 customers in Japan.
This leak impacted customers who subscribed to the G-BOOK navigation system with a G-BOOK mX or G-BOOK mX Pro and some who subscribed to G-Link / G-Link Lite and renewed their Maps using Toyota’s on Demand service between February 9th, 2015, and March 31st, 2022.
The impacted vehicles are models of Toyota’s sub-brand, Lexus, and include LS, GS, HS, IS, ISF, ISC, LFA, SC, CT, and RX cars sold between 2009 and 2015.
Toyota says that data entries were automatically deleted from the cloud environment after a while, so there was a limited amount of data exposed at any given moment.
Details of the first exposed database (Toyota)
The carmaker claims that even if the data was accessed externally, it would not be enough to infer identification details about the customer or access the vehicle’s systems in any way.
Toyota says that it has implemented a system that monitors cloud configurations and database settings on all its environments regularly to prevent these types of leaks in the future.