The breach occurred due to a database misconfiguration in Toyota's cloud environment, granting unauthorized access without the need for a password. This alarming discovery has raised concerns about the privacy and security of connected vehicles.
Affected customers are those who utilized Toyota's T-Connect G-Link, G-Link Lite, or G-BOOK services between January 2, 2012, and April 17, 2023. The exposed data includes the identification number of the in-vehicle GPS navigation terminal, the vehicle's chassis number, and its corresponding location information with timestamps.
Toyota acknowledged the breach through a security notice published on its Japanese newsroom, and the case was investigated by Bleeping Computer. The company expressed deep regret for the inconvenience and concern caused to its customers and related parties, while assuring them that immediate steps have been taken to prevent further unauthorized access to their cloud environments.
Thankfully, there is currently no evidence to suggest that the leaked data has been misused. Although unauthorized users potentially accessed the historical data of 2.15 million Toyota cars, the exposed information does not include personal data, making it impossible to track individuals unless the hacker possessed the car's vehicle identification number (VIN). There is, however, a risk of leaked video recordings captured outside the vehicles.
In an effort to address the situation, Toyota plans to individually notify affected customers via registered email addresses. Furthermore, they will establish a dedicated call center to address any questions or concerns raised by customers.
While Toyota assures that immediate measures have been implemented to enhance security and protect customer data, this incident serves as a stark reminder of the importance of robust cybersecurity practices.
Source: Bleeping Computer