Toyota Motor Corporation disclosed a data breach on its cloud environment that exposed the car-location information of 2,150,000 customers for ten years, between November 6, 2013, and April 17, 2023.
According to a security notice published in the company's Japanese newsroom, the data breach resulted from a database misconfiguration that allowed anyone to access its contents without a password.
"It was discovered that part of the data that Toyota Motor Corporation entrusted to Toyota Connected Corporation to manage had been made public due to misconfiguration of the cloud environment," reads the notice (machine translated).
"After the discovery of this matter, we have implemented measures to block access from the outside, but we are continuing to conduct investigations, including all cloud environments managed by TC. We apologize for causing great inconvenience and concern to our customers and related parties."
Exposed car location and videos
This incident exposed the information of customers who used the company's T-Connect G-Link, G-Link Lite, or G-BOOK services between January 2, 2012, and April 17, 2023.
T-Connect is Toyota's in-car smart service for voice assistance, customer service support, car status and management, and on-road emergency help.
The information exposed in the misconfigured database includes:
- the in-vehicle GPS navigation terminal ID number,
- the chassis number, and
- vehicle location information with time data.
While there is no evidence that the data was misused, unauthorized users could have accessed the historical data and possibly the real-time location of 2.15 million Toyota cars.
It is important to note that the exposed details do not constitute personally identifiable information, so it wouldn't be possible to use this data leak to track individuals unless the attacker knew the VIN (vehicle identification number) of their target's car.
A car's VIN, also known as chassis number, is easily accessible, so someone with enough motivation and physical access to a target's car could theoretically have exploited the decade-long data leak for location tracking.
A second Toyota statement published on the Japanese 'Toyota Connected' site also mentions the possibility of video recordings taken outside the vehicle having been exposed in this incident.
The exposure period for these recordings was defined between November 14, 2016, and April 4, 2023, which is nearly seven years.
Again, the exposure of these videos would not severely impact the car owners' privacy, but this depends on the conditions, time, and location.
Toyota has promised to send individual apology notices to impacted customers and set up a dedicated call center to handle their queries and requests.
In October 2022, Toyota informed its customers of another lengthy data breach resulting from exposing a T-Connect customer database access key on a public GitHub repository.
This enabled an unauthorized third party to access the details of 296,019 customers between December 2017 and September 15, 2022, when external unauthorized access to the GitHub repository was restricted.
Comments
h_b_s - 1 year ago
It's true you normally need physical access to a vehicle to discover its VIN. But physical access is trivial in this case. You don't ever have to touch the car, unlock it remotely, or anything else. Walk up, peer through the bottom corner of the windshield, copy the number down, walk away. No one's the wiser.
Stalkers, OSint savvy PIs, LEOs all have wet dreams over these kinds of data breaches. It's possible this database remained overlooked for 7 years, but all we have is Toyota's word for that. A lot of corporations have inadequate access logging as well, which most corporations won't tell you that they don't really know one way or the other because access logs don't exist, routinely deleted, or were compromised. Hopefully, this database doesn't end up on the Internet somewhere.
Wannabetech1 - 1 year ago
"Hopefully, this database doesn't end up on the Internet somewhere." I'm sure it already is. "Misconfiguration"? Does that mean they didn't know what they were doing?
rmstallman - 1 year ago
The story doesn't raise two fundamental and crucial questions
1. How does Toyota Connected get car location data?
2. Can the driver make sure it does NOT get car location data?
Once data are collected, they _will_ be misused -- one way or another. There are many ways to abuse personal data in a data base. Crackers can steal them; the business that collected them or one of its "partners" can can misuse them; rogue employees can use them for
crimes; states can get them and investigate whether you might be a dissident. See https://gnu.org/philosophy/surveillance-vs-democracy.html.
Thus, a free society requires that people not be tracked without special authorization, such as a search warrant. That includes making sure that your car does not track you -- as well as buses, taxis, and cameras on the street.