Toyota apologizes after its primary cloud service was left publicly available for over a decade, putting more than 2 million clients at risk.
Cloud-based data management is critical infrastructure for autonomous driving and other AI-based features. However, human errors are causing cybersecurity concerns.
In a statement on May 12th, Toyota revealed that customer data in Japan has been publicly accessible since 2012 due to “misconfiguration of the cloud environment.”
The cloud system was accidentally set to public instead of private due to human error. It leaked both vehicle location information and the identification numbers of vehicle devices. The company claims that, at this point, they have not confirmed any malicious use of the leaked customer data.
The leak primarily affected the clients of the T-Connect service. This offers various features such as AI voice-enabled driving assistance, automatic connection to call centers, emergency support, car unlocking, navigation, vehicle statistics, and other vehicle-related metrics.
“We have implemented measures to block access from the outside, but we are continuing to conduct investigations, including all cloud environments managed by T-Connect,” says the statement by Toyota.
“We apologize for causing great inconvenience and concern to our customers and related parties.”
Toyota said it will establish a system to continuously monitor settings and thoroughly educate employees on data handling rules.
Not the first time
It’s not the first time that Toyota has been shaken by a data leak. Earlier this year, Cybernews research revealed that a multinational vehicle manufacturer accidentally leaked access to its marketing tools, enabling attackers to launch phishing campaigns against its vast pool of customers in Italy.
In 2022, Toyota confirmed that the data of almost 300,000 customers was leaked online after a company developer published T-Connect source code on GitHub. The leaked data included email addresses and the customer management numbers which Toyota assigns to each client.
Insider-driven data exposure is on the rise
Joe Payne, CEO at insider risk management firm Code42, told Cybernews that incidents like this should serve as a warning to other companies to re-evaluate their approach to insider risks. “Human error is inevitable,” he says. “But it can be mitigated with the right approach.”
According to him, organizations should invest in creating environments where employees make safer and smarter decisions about data.
“Our research has revealed a 32% year-over-year increase in insider-driven data exposure, loss, leak and theft events. Not only is the problem growing, but both detection of and response to insider events have become more challenging.”
“This starts with employee education and is made stronger by implementing data monitoring tools that protect an organization’s perimeter,” he concluded.
More from Cybernews:
Subscribe to our newsletter