Toyota has confirmed that sensitive data on millions of vehicles were stored on an unprotected cloud database between November 6, 2013, and April 17, 2023. The data was available to anyone who knew where to look and included information on the location of 2.15 million Toyota owners. The company published a security notice on its newsroom website, apologising for causing inconvenience and concern to customers and related parties.
The exposed data included GPS navigation, terminal ID number, chassis number, and vehicle location and time data. It was kept in an unprotected database of customers using Toyota’s T-Connect G-Link, G-Link Lite, and G-BOOK car infotainment systems. While the data was pseudonymous, anyone with physical access to Toyota cars could obtain the vehicle identification number, which could connect the data to the users.
In addition, Toyota said that there was a possibility that video recordings taken outside the vehicles were also exposed in the incident. These recordings were being made for almost seven years, from November 2016 to April 2023. Toyota has implemented measures to block outside access and is conducting investigations, including all cloud environments managed by Toyota Connected Corporation.
