Toyota recently revealed that it had suffered from a decade-long data breach, which has exposed information on more than 2 million vehicles. The customers affected by this breach are those who signed up for Toyota’s T-Connect network service between the beginning of 2012 until April 17. The exposed data includes registered email addresses, vehicle-unique chassis and navigation terminal numbers, vehicle locations, and videos from the vehicle’s “drive recorder”.
According to a report by TechCrunch, Toyota attributed the breach to poor security configurations in the cloud-based service, which allowed anyone to access data without a password. Though the issue was first noticed in April, the servers are now properly safeguarded.
The Toyota Connected service allows customers to receive assistance when required, determine the location of their vehicle, and receive service reminders. However, it does not reveal personally identifiable information. A company spokesperson commented that the problem lay in the way the cloud-based service was protected from external access.
To address such issues, Erfan Shadabi, a cybersecurity expert at comforte AG, emphasized the need for regular training sessions to instill best practices for cloud security, adopting data-centric security measures such as tokenization, adhering to the principles of Zero-trust when granting permissions and access rights to cloud resources, and following cloud service providers’ security guidelines and best practices to ensure a secure cloud environment.
Elliott Wilkes, the chief technology officer at Advanced Cyber Defence Systems (ACDS), suggested that the breach may have been compounded by the inadvertent posting of some source code from the company that was mistakenly posted in a public repository on GitHub, which contained privileged credentials. Wilkes proposed the use of a privileged access management solution that securely stores and utilizes credentials instead of having a software engineer store them insecurely.
Wilkes also emphasized the need for regular auditing of cloud systems and reviewing default settings for software-as-a-service tools such as GitHub, as well as restricting developers and end-users from making insecure choices. He believes that government intervention may also be necessary to set standards for what good cybersecurity looks like, as the automotive industry, along with many other technologies and everyday consumer tools, is becoming increasingly connected to the internet.
In light of this breach, Toyota must take decisive action to ensure that its customers’ data is safe. The company should also collaborate with other automakers and industry experts to develop better cybersecurity practices and protocols to prevent future breaches.