Japanese auto firm, Toyota, recently announced that a decade-long data breach in its online service has compromised information on more than 2 million vehicles at risk.
Customers affected included those who signed up for the T-Connect network service between the beginning of 2012 until April 17. According to TechCrunch, Toyota said that the exposed data includes: “registered email addresses; vehicle-unique chassis and navigation terminal numbers; the location of vehicles and what time they were there; and videos from the vehicle’s “drive recorder” which records footage from the car.”
A company spokesperson says the problem lay in the way the cloud-based service was protected from external access. Because of poor security configurations, anyone could access the data without a password. The issue was spotted in April, so the servers are now properly safeguarded.
The Toyota Connected service helps customers get service reminders, determine the location of the vehicle, and receive assistance when required. As such, the cloud-based platform did not reveal personally identifiable information.
Commenting on this, Erfan Shadabi, Cybersecurity Expert at comforte AG, said “First and foremost organisations need to educate staff members about the importance of cloud security and the potential consequences of misconfigurations. Regular training sessions can help instil best practices and promote a security-first mindset. Organisations also should follow cloud service providers’ security guidelines and best practices to ensure a secure cloud environment.
“Adhere to the principles of Zero-trust when granting permissions and access rights to cloud resources. Only grant the necessary privileges to users and regularly review access controls to prevent unauthorised exposure. Also adopting data-centric security measures, such as tokenisation, can be highly effective in mitigating risks associated with human error. Tokenisation involves substituting sensitive data with non-sensitive placeholders called tokens. These tokens hold no value to potential attackers, as they are meaningless without access to the tokenisation system. By implementing tokenisation, even if a breach occurs or data is exposed accidentally, the exposed or stolen data would be rendered useless to unauthorised individuals”
Elliott Wilkes, chief technology officer at Advanced Cyber Defence Systems (ACDS), added “It appears as though some source code from the company that was mistakenly posted in a public repository on GitHub, a source-control system. This is a common security mistake and compounded by the fact that there were privileged credentials stored in the source code repository. This is both a source-control issue as well as a credential and access management issue. This could have been prevented by the use of a privileged access management solution that helps securely store and utilise credentials versus having a software engineer store them on their own in an insecure way.
“Regular auditing of cloud systems like AWS and Azure is a necessity in this increasingly hostile internet. The same goes for reviewing the default settings for software-as-a-service tools like GitHub and restricting developers and end users from making insecure choices. As companies, we need to do better at helping our employees not accidentally make poor choices from a security perspective.
“This is absolutely critical to the automotive industry generally, but really many technologies and everyday consumer tools that are beginning to become internet-connected. There is also a need for government to step in and provide better regulation that sets standards for what good looks like. The UK’s NCSC and US’s CISA agencies have really stepped this up lately and the government of Japan has done a good job lately by pushing to hire a large consort of cyber security staff.”