Toyota Motor [7203:JP] disclosed that the vehicle data of 2.15 million users in Japan had been publicly available for a decade from November 2013 to mid-April 2023, due to human error, as reported by Reuters on May 12. According to the company, the leaked data may include details such as vehicle locations and identification numbers of vehicle devices. However, there have been no reports of malicious use. The affected users comprise almost the entire customer base who signed up for Toyota’s major cloud service platform, T-Connect, as well as the users of G-Link, a similar service for Lexus vehicles owners. Upon discovering the issue, Toyota has taken measures to block outside access to the data and has initiated an investigation into all cloud environments managed by Toyota Connected Corp.
Toyota admitted to lacking active detection mechanisms and processes to promptly identify public exposure of data when questioned about the delay in detecting the recent data leak. The company has commited to implementing a system to audit cloud settings, establishing a system to continuously monitor settings, and conducting comprehensive training for employees on data handling rules. Prior to this data leak incident, Toyota had already informed its customers in October 2022 of another significant data breach related to its cloud service platform. Specifically, it had inadvertently exposed a credential that provided access to the T-Connect customer database in a public GitHub repository for nearly five years, potentially compromising data for over 290,000 customers.