Cloud system error left Toyota customer data exposed for ten years

Toyota logo pictured outside the Japanese car maker's headquarters in Tokyo, Japan.
(Image credit: Yiuchi Yamazaki/AFP via Getty Images)

Data belonging to more than 2 million Toyota customers in Japan was left ‘publicly available’ for ten years due to a cloud configuration error, the company has revealed. 

The car manufacturer said that around 2.15 million customers may have been affected by the leak, which saw data left at risk between November 2013 and April this year. 

Toyota said that the leak was due to a misconfigured setting in its cloud environment and caused by human error. 

A worker at the firm is believed to have set a cloud system’s access level to ‘public’ instead of ‘private’, meaning that data pertaining to vehicle locations and identification numbers was exposed. 

Customers of Toyota’s T-Connect network are among those impacted by the incident, along with G-Link users. 

G-Link is a service for Lexus vehicle owners that offers premium services and emergency support features. 

A spokesperson for Toyota said there has been no sign of malicious activity due to the data leak. 

RELATED RESOURCE

Whitepaper cover with title over a grey rectangle with header graphic and ESG logo

(Image credit: IBM)

Storage's role in addressing the challenges of ensuring cyber resilience

Understanding the role of data storage in cyber resiliency

DOWNLOAD FOR FREE

The firm insisted that it took immediate action to block access to the affected data after the issue was revealed. 

A comprehensive review of how the firm monitors its cloud environments is also underway across the breadth of its global operations. 

“Customer information that may have been viewed from the outside will not identify the customer based on this data alone, even if accessed from the outside,” a spokesperson said. 

“Since the discovery of this matter, we have not confirmed any secondary use of customer information on the internet by a third party.”

In the wake of the incident, the company plans to implement changes to its cloud processes. 

The vehicle manufacturer said it will introduce systems to “audit and monitor cloud settings continuously”. 

The firm will also “thoroughly educate employees” to improve data handling.

Gary Cannon, transport practice commercial director at NCC Group told ITPro that incidents such as the Toyota cloud error are uncommon, but when they do occur can have disastrous implications. 

“It's not very common for an internal member of staff to accidentally set a cloud system to public instead of private,” he said. “However, it can happen, especially if the person responsible for the cloud system is not familiar with its configuration or if they are rushing to get something done.”

“It's important to note that setting a cloud system to public instead of private can have serious security implications, as it could expose sensitive data or services to unauthorized access.”

Recurring data leaks at Toyota

This latest data leak marks the second incident of its kind for Toyota in the space of a year. 

In October 2022, the car manufacturer revealed that data belonging to nearly 300,000 customers was exposed after an access key was left publicly available on GitHub for around five years

At the time, Toyota said that 296,019 customers were impacted by the breach, which also affected its T-Connect service. 

This issue was compounded by the fact that leaked source code included access keys to a server containing customer email addresses. 

In the wake of the incident, Toyota warned customers to remain vigilant for a potential onslaught of phishing scams. 

Ross Kelly

Ross Kelly is a staff writer at ITPro, ChannelPro, and CloudPro, with a keen interest in cyber security, business leadership and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research. 

In his spare time, Ross enjoys cycling, walking and is an avid reader of history and non-fiction.

You can contact Ross at ross.kelly@futurenet.com or on Twitter and LinkedIn.