Involving 2.15 million people, Toyota reveals a decade-long data breach

On May 12, 2023, the official website of Toyota Japan published an apology notice revealing a 10-year-long data breach at the company involving approximately 2.15 million Japan-based Toyota users.

The data breach was reportedly caused by a misconfiguration of the cloud environment for some data managed by Toyota Connected Corporation (hereinafter referred to as TC), which resulted in any unauthenticated external visitor being able to access the database between November 6, 2013 and April 17, 2023.

The data breach involved users of Toyota's T-Connect G-Link, G-Link Lite and G-BOOK services and included vehicle identification numbers, chassis numbers, vehicle location information and video clips taken by cameras mounted on the vehicles. Toyota notes that this information does not identify the owner of the vehicle.

At this time, Toyota is unable to determine if there was any misuse of the leaked data. The company said that the main cause of the incident was the lack of thorough explanation of data processing rules, and will work closely with TC to strengthen employee education to prevent a recurrence in addition to continuing the incident investigation, and will introduce a cloud setup audit system to investigate the setup of the cloud environment and continuously monitor the status of the setup.

According to a person familiar with the matter, who asked not to be named, the Japan Personal Information Protection Commission has been made aware of the incident. It is not clear whether the commission will punish Toyota.

Toyota T-Connect already had a data breach last October, when the personal information of nearly 30 users was stolen by attackers. The type of information leaked included users' email addresses, customer numbers and other information, affecting users who have registered for the service using their email addresses since July 2017.