According to Toyota, the breach in Asia and Oceania occurred due to a misconfiguration in the files managed by Toyota Connected Corporation. These files, intended for overseas dealers' maintenance requirements and system investigations, were inadvertently made externally accessible. As a result, customer details such as addresses, names, phone numbers, email addresses, customer IDs, vehicle registration numbers, and vehicle identification numbers were potentially accessible to the public from October 2016 until May 2023.
In a separate incident limited to Japan, approximately 260,000 customers utilizing the Lexus G-Link connected services had their vehicle details exposed. This information included vehicle identification numbers, map data updates, and other mapping systems. However, no data that could identify owners was compromised. This breach occurred between February 9, 2015, and May 12, 2023.
Toyota has taken these breaches seriously and is currently investigating the matter in accordance with the laws and regulations of each country involved. The company attributes these incidents to insufficient dissemination and enforcement of data handling rules and has already implemented a system to monitor cloud configurations since the initial breach was discovered in mid-May.
Despite these security breaches, Toyota has found no evidence of the secondary use of the exposed information or any third-party copies of the data. The company remains committed to ensuring the privacy and security of its customers' information moving forward.
Source: Reuters