May was a busy month for Toyota, but not for manufacturing cars. The global carmaker, which is the most sold car brand in the world, first admitted to a data leak exposing 2.15 million customers’ data between November 6, 2013 and April 17, 2023. This was quickly followed by a May 31 announcement by the automotive giant, alerting customers they had discovered the data of another 260,000 car owners being leaked.
The first larger data leak was caused by a misconfigured cloud bucket, exposing customer records to the open Internet. In a statement released May 12, Toyota revealed that customer data in Japan has been publicly accessible since 2012 due to “misconfiguration of the cloud environment.”
The leak primarily affected the clients of the T-Connect service. This offers various features such as AI voice-enabled driving assistance, automatic connection to call centers, emergency support, car unlocking, navigation, vehicle statistics, and other vehicle-related metrics. No issues arising from the breach have been reported.
“We have implemented measures to block access from the outside, but we are continuing to conduct investigations, including all cloud environments managed by T-Connect,” says the statement by Toyota.
Toyota said it will establish a system to continuously monitor settings and thoroughly educate employees on data handling rules.
The cause of the data leak was down to human error, according to Toyota.
“We believe that the main reason for this incident was insufficient explanation and thoroughness of data handling rules.” Media reports say that a cloud system setting was set to ‘public’ instead of ‘private’.
A spokesperson told Reuters: “There was a lack of active detection mechanisms, and activities to detect the presence or absence of things that became public.”
As far as the second, smaller, data leak the carmaker said it learned of the misconfiguration after conducting a wider investigation of its cloud environments after admitting earlier this month that customer data was accessible by anyone on the Internet. “We will deal with the case in each country in accordance with the personal information protection laws and related regulations of each country,” Toyota said.
The second data leak exposed drivers’ sensitive details such as name and home address, phone number, email address, customer ID, vehicle registration number and Vehicle Identification Number.
Representatives from Toyota said the level of data exposure varies from client to client, and not everyone had all their details left accessible. The company added that the data was likely accessible from October 2016 until May 2023.