Toyota Software Security Flaw Exposed Vehicle Locations Of 2M Cars For 10 Years
If you’ve owned a Toyota vehicle with connected services in the last several years, we have some bad news to share with you. The automaker has announced that it has discovered a major data breach on its cloud environment that has exposed the location of about 2.15 million vehicles for more than a decade. Apparently, the leak happened due to a database misconfiguration, which allowed anyone to access Toyota’s cloud environment without a password.
The firm published a security notice on its Japanese newsroom and Bleeping Computer investigated the case. Customers who used Toyota’s T-Connect G-Link, G-Link Lite, or G-BOOK services between January 2, 2012, and April 17, 2023, are affected. The exposed information includes the in-vehicle GPS navigation terminal ID number, the vehicle’s chassis number, and vehicle location information with time data.
A translated version of Toyota’s original statement says the following: "It was discovered that part of the data that Toyota Motor Corporation entrusted to Toyota Connected Corporation to manage had been made public due to misconfiguration of the cloud environment. After the discovery of this matter, we have implemented measures to block access from the outside, but we are continuing to conduct investigations, including all cloud environments managed by TC. We apologize for causing great inconvenience and concern to our customers and related parties."
Fortunately, there is no evidence that the leaked data has been used for wrongdoing, though Bleeping Computer reports unauthorized users could have accessed the historical data of 2.15 million Toyota cars. The good news, however, is that the exposed data doesn’t include personal information, which means tracking individuals has been impossible unless the hacker knew the car’s VIN. The firm also says there’s a possibility of leaks of video recordings taken outside the vehicle.
“Starting today, we will individually send an apology and notification to the registered e-mail address for customers whose in-vehicle terminal ID, chassis number, vehicle location information, and time may have been leaked. In addition, we will set up a dedicated call center to answer questions and concerns from customers,” Toyota adds in a statement on its Japanese press site.
