Toyota finds more misconfigured servers leaking customer data

Early this month it was reported that a cloud system error had left the data of 2 million Toyota customers vulnerable on the cloud for 10 years. Toyota ordered an audit of its entire cloud infrastructure globally and now, the company has found two additional misconfigured cloud services that leaked customer’s personal information for 7 years.

"We conducted an investigation for all cloud environments managed by TOYOTA Connected Corporation (TC), It was discovered that a part of the data containing customer information had been potentially accessible externally," Toyota wrote in its notice.

The first cloud service exposed the personal information of customers in Asia and Oceania between October 2016 and May 2023. The data which includes name, address, phone number, email, customer ID, vehicle registration number, and Vehicle Identification Number (VIN) was only supposed to be viewed by dealers and service providers.

The number of affected customers is yet to be determined. The second cloud service exposed the data of about 260,000 customers in Japan between February 9, 2015, and May 12, 2023. In this case, the data is less sensitive as it relates to the car’s navigation system including n-vehicle device ID (navigation terminal), map data updates, and data creation dates. Vehicle location data was not leaked.

Customers that were affected are those that subscribed to the G-BOOK navigation system with a G-BOOK mX or G-BOOK mX Pro and some who subscribed to G-Link / G-Link Lite and renewed their Maps using Toyota's on Demand service between February 9th, 2015, and March 31st, 2022.

The vehicle that was affected was the Lexus brand including LS, GS, HS, IS, ISF, ISC, LFA, SC, CT, and RX models sold between 2009 and 2015. Toyota noted that the data is deleted from the cloud service after a while and so although the vulnerability ran for 7 years the data was exposed only for a short period. The company has also added that there is no proof that the data was accessed externally and, even so, it was not adequate to infer identification details about the customer or access the vehicle's systems in any way.

The Auto giant has said that it has put a system in place to regularly monitor cloud configurations and database settings on all its environments.