The Toyota Motor customer data leak is larger than what was disclosed previously, the company conceded on Wednesday.
The latest announcement from the company said that the personal details of Toyota Motor customers in certain countries in Oceania and Asia, excluding Japan, may have been exposed to the public from October 2016 to May 2023.
The Toyota Motor customer data leak was disclosed on May 12. The automaker launched an investigation into the data leak, revealing potential external accessibility of additional customer information managed by Toyota Connected Corporation (TC).
The potentially accessible customer information comprised names, addresses, phone numbers, email addresses, as well as vehicle identification and registration numbers, according to the company’s statement.
According to the May 12 disclosure, the vehicle data of 2.15 million users in Japan, encompassing almost the entire customer base who had registered for its primary cloud service platforms since 2012, had been unintentionally available to the public for a duration of ten years due to human error.
Toyota Motor customer data leak: The details
The Toyota Motor customer data leak incident was brought to light after an investigation into all cloud environments managed by TOYOTA Connected Corporation (TC).
According to the latest announcement, the scale of the potential data leakage incident due to a misconfiguration of its cloud environment, disclosed on May 12, was much deeper than anticipated.
“It was further discovered that a part of the data containing customer information had been potentially accessible externally,” the company announcement said.
“As we believe that this incident also was caused by insufficient dissemination and enforcement of data handling rules, since our last announcement, we have implemented a system to monitor cloud configurations.”
The company classified the whole Toyota Motor customer data leak into two sections: domestic service incidents in Japan and overseas service incidents.
In the domestic service incidents, potentially accessible data included in-vehicle device IDs, map data updates, and the creation dates of updated data used for the distribution of in-vehicle navigation terminal map data.
However, these data alone cannot identify individual customers or provide access to or affect the vehicles, the company claimed.
The system is now operational and continuously monitors cloud settings, while Toyota plans to collaborate with TC to reinforce data handling rules and educate employees to prevent such incidents in the future, said the announcement.
Toyota stated that it will handle the case in each country according to the personal information protection laws and regulations of that country.
The statement clarified that the leaked details of Japanese customers were not identifiable and would not provide access to or affect their vehicles.
Toyota Motor customer data leak and the larger picture
Toyota is a major global vehicle manufacturer with over 370,000 employees and approximately $267 billion in revenue in the previous year.
This Toyota Motor customer data leak is the latest addition in a string of data security incidents.
An accidental access to marketing tools by its Italian branch was disclosed in March 2023. A data leak exposed the details of 300,000 customers last year, and a data breach happened in its Indian business in January 2023.
Automobile manufacturers and distributors, in general, have been regular victims of data breaches and cyber attacks.
Lockbit 3.0 ransomware gang in January listed German firm EDS Automotive GmbH as a victim. EDS Automotive is one of the biggest development partners of popular automotive manufacturers such as BMW, Audi, Daimler, Tesla, VW and, Porsche.
According to Upstream’s 2022 Global Automotive Cybersecurity Report, about 82% of cyber attacks targeting the automotive industry, encompassing consumer vehicles, manufacturers, and dealerships, were executed remotely.
More than 40% of incidents targeted back-end servers, indicating the importance of safeguarding critical infrastructure, said the report.
According to an AT&T report, the most common cyber threats automotive industry faces are EV charging station exploitation, infotainment system attacks, brute force network attacks, phishing attacks, compromised aftermarket devices, ransomware, and supply chain attacks.