Millions of Toyota Owners Have Their Locations Exposed for the Last 10 Years
Table of Contents
- By Steven
- May 16, 2023
Toyota is a worldwide car manufacturer based in Toyota City, Japan. This automaker produces millions of vehicles each year, and many of those vehicles had their locations publicly available for as long as ten years. If you drive a Toyota vehicle, your location may have been available to anyone interested in seeing it, all because of a cloud configuration mistake. This mistake compromised the privacy of over 2 million Toyota car owners and is a serious hit to Toyota's name and reputation.
How Did the Attack Occur?
This Toyota attack wasn't an attack at all but a mistake made by the cloud technician that set up the company's location services. Toyota Motor Corporation relied on Toyota Connected Corporation to handle all the data services for Toyota vehicles. The company made a mistake when configuring the cloud-based database holding user data and made all that data available freely on the internet to everyone.
Without any password protection or encryption on the data, it was possible to look at the location information for countless Toyota vehicles for over a decade. Any drivers using T-Connect, GBook, or GLink services through Toyota were exposed to anyone on the internet that looked at the data. The information within the exposed database was available from January 2, 2012, until April 17, 2023, when the error was exposed and the database configuration was repaired.
What Information Was Viewed or Stolen?
No Personally Identifiable Information was available about the specific drivers in this breach. Instead, in-vehicle GPS data, terminal ID numbers, chassis numbers, and vehicle location information and time were exposed. It would be impossible to track an individual unless the person knew the VIN of the vehicle they wanted to track.
How Did Toyota Admit to the Breach?
Toyota released public statements and sent an email explaining why this data breach occurred and which individuals could be affected by the breach. The company put out statements but is not sending individual notices to all the Toyota owners that may have been exposed to this data leak. The company isn't required to send out individual statements because the data exposed doesn't qualify as personal data, such as a Social Security number, financial information, or a driver's license number.
What Will Become of the Stolen Information?
While it's possible that some individuals were misusing this data to track people or to analyze the movement patterns of Toyota owners, it's unlikely that many individuals used this data in a harmful way. The information provided is too vague to offer too much value to attackers that discovered the data, so you don't have to worry about identity theft, phishing attacks or any other common issues that come along with cyber-attacks normally.
What Should Affected Parties Do in the Aftermath of the Breach?
There is little to be done about this Toyota data breach. You should use this breach as a warning that it's not always a good idea to allow data to be shared with companies and to avoid trusting companies with data in the future if you can. You don't have to invest in identity theft protection services, freeze your credit or take any other dramatic measures to protect yourself because it's unlikely your personal assets or credit is truly at risk because of this breach.