In a nutshell: Toyota is in apology mode after recently discovering that a misconfigured server had been exposing some customer data on the web for nearly a decade. The Japanese automaker said human error was to blame for a cloud server being made public since November 2013. Publicly accessible customer data included in-vehicle terminal IDs and chassis numbers as well as vehicle location and time information.
Approximately 2.15 million customers were involved, and all are being notified via the email address Toyota has on file. According to Toyota, the exposed data was sealed on April 17, 2023. A dedicated call center is also being set up to answer questions from concerned customers.
Toyota thus far has not received any reports of misused data, nor is it aware if anyone copied the information during the open period.
The misconfigured system has since been fixed. A spokesperson told Reuters that the company has notified Japan's Personal information Protection Commission about the incident.
The automaker is taking steps to ensure its other online systems are secure and to mitigate the potential of a repeat incident in the future. In addition to better educating employees, Toyota plans to launch a cloud audit program and continually monitor cloud system settings.
Cyberattacks and data leaks are a dime a dozen these days, and Toyota has experienced its fair share of issues over the years. In 2022, Toyota said a subcontractor accidentally uploaded source code and an access key to GitHub that could have been used to access email addresses of nearly 300,000 customers.
In February of the same year, Toyota had to halt production at some of its facilities due to a cyberattack on one of its suppliers. At the time, it was estimated that the attack could cost the company as much as $400 million and set production back by around 13,000 vehicles.
A key cloning-based security flaw in 2020 left millions of vehicles from Toyota, Kia and Hyundai vulnerable to theft.
Image credit: Traffic by Barry Tan, Toyota by Chandler Cruttenden