Toyota’s cloud security assessment finds additional vehicle data exposed

Hundreds of thousands of Toyota vehicles had data exposed by the Japanese car maker, beyond a discovery announced in May, according to a statement from the company.

In a followup to an admission two weeks ago that a “cloud misconfiguration” exposed information on more than 2 million vehicles in Japan for more than a decade, the company said Wednesday it conducted a companywide assessment of all its cloud environments.

The probe discovered several instances where customer information was potentially accessible by those outside of the company. One batch — affecting about 260,000 customers — exposed in-vehicle device identification numbers and map information from the car’s navigation terminal.

This information, which did not cover vehicle location, did not reveal or identify any individual customer and could be used to access the vehicle.

The breach reported Wednesday affects customers who subscribed to G-BOOK with a G-BOOK mX or G-BOOK mX Pro compatible navigation system. Some customers who subscribed to G-Link or G-Link Lite and renewed their Maps on Demand service between February 9, 2015, and March 31, 2022, were also affected.

The G-Link technology for its Lexus brand was tied to the breach announced two weeks ago.

The services deploying the systems were used by customers between February 9, 2015 and May 12, 2022.

“Customers whose information may have been leaked will receive a separate apology and notification to their registered e-mail addresses beginning today,” the company said. "In addition, a dedicated call center will be set up to answer any questions or concerns from customers.”

Another data exposure reported Wednesday involved files Toyota manages in cloud environments for overseas dealers' maintenance and investigation of systems. Due to a misconfiguration, the systems were publicly accessible.

The data involved includes names, addresses, phone numbers, email addresses, customer IDs, vehicle registration numbers and vehicle identification numbers.

The issue affected countries in Asia and Oceania outside of Japan but the company did not respond to requests for comment about which specific countries were involved.

This breach lasted from October 2016 to May 2023.

“We have also investigated whether, with this incident, there was any secondary use or if third-party copies remain on the Internet, and no evidence of such has been found. At present, we have not confirmed any secondary damage. (Vehicle location, credit card information, etc., are not included in this incident),” the company said of both breaches.

“As we believe that this incident also was caused by insufficient dissemination and enforcement of data handling rules, since our last announcement, we have implemented a system to monitor cloud configurations. Currently, the system is in operation to check the settings of all cloud environments and to monitor the settings on an ongoing basis.”

Toyota dealt with another breach in April and had to resolve a separate security issue that allowed for widespread access to a platform used by employees to coordinate operations.

Several cybersecurity experts lauded Toyota for conducting a companywide sweep of its systems after the initial breach was discovered.

Coro Cybersecurity co-founder Dror Liwer said companies need to always ask themselves why data needs to be retained and if it does, question whether it can be anonymized for customer safety.

KnowBe4’s Roger Grimes said more organizations need to conduct similar investigations into overly permissive cloud permissions, noting that there are “likely hundreds of thousands to millions of cloud instances with overly permissive permissions and vulnerabilities just waiting to be discovered by the owners or hackers.”

“Be the owner that finds it before the attacker does,” he said.