Toyota says security lapse at Italy offices may have led to customer data exposure

Japanese car giant Toyota said that security lapses at its offices in Italy may have exposed customer data.

In a statement to The Record, Toyota Motor North America spokesperson Corey Proffitt confirmed the findings from Cybernews, a cybersecurity research organization that discovered an environment file (.env) hosted on the official Toyota Italy website on February 14.

The file contained a wide range of information, including credentials to digital marketing platform Salesforce Marketing Cloud, which could be used to reach out to customers in a variety of ways. The researchers also found other data related to the company’s use of Mapbox’s application programming interface. The file had been exposed since May 21, 2021, Cybernews said.

“Immediately after Cybernews team informed Toyota Motor Italy of a cybersecurity vulnerability in its IT environment, the company took all necessary actions to remedy the situation that was caused by a failure to follow our company data security policies,” Proffitt said.

“An additional set of countermeasures have been put in place to restore and strengthen our cyber security systems and protocols. We have reported this data privacy risk to the relevant authorities and are fully cooperating with the ongoing investigation.”

Proffitt added that Toyota is conducting a wider investigation of its cybersecurity systems in order to “prevent a recurrence of similar incidents.”

The incident comes amid a streak of data leaks affecting car companies. In January, ransomware actors took credit for an attack on Arnold Clark, one of the United Kingdom’s largest car dealerships. When the car dealership refused to pay a ransom, the gang leaked National Insurance numbers — the equivalent of Social Security numbers in the U.S. — and passport data, alongside addresses and phone numbers.

In February 2022, ransomware actors from the now-defunct Hive group attacked Emil Frey, one of Europe's biggest car dealers and last week a BMW dealer in France was also hit with ransomware. Reuters reported last week that Tesla employees were sharing data collected from cameras within customer vehicles.