Improper configuration of Toyota’s cloud service led to data leakage, affecting car owners in Asia

Toyota Motor Corp. announced in early May that a data leak had been caused by a decade of misconfiguration of its cloud services, and caused leakage of stored owner and vehicle information. According to Toyota’s latest news, the scope of this incident includes the personal and vehicle information of car owners in Japan and other Asian regions. The cloud environment for information leakage is managed by Toyota Connected Corporation (TC).

For the details of the leak, Toyota provided a more detailed explanation after nearly a month of investigation. First, the leaked data source is the company’s system released last month, which includes the ID of in-vehicle devices (such as navigation terminals), map update data, and the date when navigation terminal data was added. These services only involve approximately 260,000 Japanese car owners who subscribed to specific navigation devices and those who subscribed to specific services between February 2015 and March 2022.

However, Toyota pointed out that even if this information is leaked, it will not cause the identity of the owner to be revealed, and the information cannot be used to access or influence the vehicle. On the other hand, what went unnoticed last month was that system maintenance and investigation information from overseas dealers may also have been accessed externally due to improper configuration. Currently, the system has been temporarily blocked from outside access.

Toyota’s investigation found no evidence that the leaked data had been reused or that it had been copied by third parties on the Internet. Toyota said it believed the incident was caused by a failure to effectively disseminate and enforce data processing policies. To this end, Toyota has begun to introduce a system for monitoring cloud configurations, and is fully checking the settings of all cloud environments. At the same time, Toyota is also working with TC to explain and enforce data processing policies to employees to prevent similar incidents from happening again.