On Wednesday, Toyota Motor Corporation announced that the personal details of their customers in certain countries in Oceania and Asia, excluding Japan, may have been exposed to the public from October 2016 to May 2023. This disclosure came after Toyota launched an investigation into the data leak, which was revealed on May 12, and found that the incident was larger than previously disclosed.
The initial announcement indicated that the vehicle data of 2.15 million users in Japan had been unintentionally available to the public for ten years due to human error. The potentially accessible customer information included names, addresses, phone numbers, email addresses, as well as vehicle identification and registration numbers.
According to the latest announcement, the scale of the potential data leakage incident was much deeper than anticipated as a part of the data containing customer information had been potentially accessible externally due to a misconfiguration of its cloud environment. The potentially accessible customer information included in-vehicle device IDs, map data updates, and the creation dates of updated data used for the distribution of in-vehicle navigation terminal map data. However, these data alone cannot identify individual customers or provide access to or affect the vehicles, the company claimed.
Toyota is now continuously monitoring cloud settings while planning to collaborate with Toyota Connected Corporation (TC) to reinforce data handling rules and educate employees to prevent such incidents in the future.
Toyota classified the whole Toyota Motor customer data leak into two sections: domestic service incidents in Japan and overseas service incidents. The statement clarified that the leaked details of Japanese customers were not identifiable and would not provide access to or affect their vehicles. Toyota stated that it will handle the case in each country according to the personal information protection laws and regulations of that country.
This incident is not the first for Toyota, as it is one of many data security incidents that have affected automobile manufacturers and distributors in recent years. Last year, a data leak exposed the details of 300,000 customers, and a data breach happened in its Indian business in January 2023.
According to Upstream’s 2022 Global Automotive Cybersecurity Report, about 82% of cyber attacks targeting the automotive industry, encompassing consumer vehicles, manufacturers, and dealerships, were executed remotely. More than 40% of incidents targeted back-end servers. This report emphasizes the importance of safeguarding critical infrastructure.
According to an AT&T report, the automotive industry’s most common cyber threats are EV charging station exploitation, infotainment system attacks, brute force network attacks, phishing attacks, compromised aftermarket devices, ransomware, and supply chain attacks.
As one of the world’s most significant automobile manufacturers, Toyota will need to take firm steps to improve its cybersecurity and data privacy measures to protect its customers from future attacks and prevent any further data breaches or leaks. The company will also need to ensure that not only its policies and rules are updated for the cloud environment, but its employees are also well-educated about the importance of data privacy.