Toyota Japan has apologized after admitting to leaving millions of customers’ vehicle data on the public internet for a decade.
The automaker said in a statement it will notify about 2.15 million customers whose personal and vehicle information has been left on the internet after a “misconfiguration of the cloud” was recently discovered in April. Toyota said the exposed data included: registered email addresses; vehicle-unique chassis and navigation terminal numbers; the location of vehicles and what time they were there; and videos from the vehicle’s “drive recorder” recording footage from the car.
said Toyota spill the data of its Connected Cloud (TC) was first unveiled in November 2013, but only covers vehicles in Japan, according to the company.
The company’s connected service provides Toyota customers with information about their vehicle, provides in-car entertainment services and helps alert authorities in the event of an accident or breakdown.
Lexus car owners who have signed up for the G-Link service are also affected.
Toyota said the data was secure, but has not seen any reports that the data was obtained or used maliciously. It is not clear whether Toyota has the logging to detect what data, if any, has been exfiltrated from its network. Toyota said in its statement that it would introduce a system to monitor its cloud, suggesting existing efforts were insufficient.
In 2022, Toyota admitted it had released about 300,000 customer email addresses for nearly five years after a subcontractor accidentally uploaded some of the company’s source code to the Internet. That data included a private key that stored customer email addresses.
Want to know more about the Toyota vulnerability? Do you work at Toyota? You can contact Zack Whittaker at Signal at +1 646-755-8849 or email@example.com. You can also share files and documents with TechCrunch through our SecureDrop.