Toyota Japan confirms decade-long security breach
Toyota Japan has confirmed that due to a cloud misconfiguration, the personal and vehicle information of 2.15 million users was leaked on the internet. Moreover, the information has been on the internet for a decade now, but the company discovered it recently in April.
Customers affected included those who signed up for the T-Connect network service between the beginning of 2012 until April 17. Toyota has apologized to its customers for causing concerns. According to TechCrunch, Toyota said that the exposed data includes: "registered email addresses; vehicle-unique chassis and navigation terminal numbers; the location of vehicles and what time they were there; and videos from the vehicle’s “drive recorder” which records footage from the car."
It was caused by human error, resulting in a cloud system being configured to public rather than private. Toyota stated that it will implement a system for auditing cloud settings, build up a system for continuously monitoring settings, and properly educate personnel on data management standards. It is unclear what can the bad actors do with this information or if they have already conducted any malicious activities.
Apart from the Toyota drivers who used T-Connect, Lexus users who got their hands on the G-Link app have also been affected by the security breach. According to one of its staff, Japan's Personal Information Protection Commission has been alerted about the event but has declined to disclose any details, in keeping with its policy of not commenting on particular incidents.
The issue began in November 2013
Toyota Japan said that the issue began back in November 2013, which makes it a decade-long security breach. The company noticed it last month, so it lasted until mid-April. “There was a lack of active detection mechanisms, and activities to detect the presence or absence of things that became public,” a spokesperson of Toyota said when asked about why it took the company so long.
Toyota stated that when the vulnerability was detected, precautions were taken to prevent unauthorized access to the data, and an investigation into all cloud environments administered by Toyota Connected Corp started.
Advertisement