Toyota: Tragic Data Breach, 2 Million Vehicles Affected For Ten Years

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | May 14, 2023 11:59 pm PST

Recently, Toyota admitted to having one of the worst data breaches in the automotive sector. Approximately 2 million automobiles sold in the business’s home market have had their information put at danger, the company said.

Unlikely as it may sound, Toyota claims it learned of the data compromise in early 2018. The database of Japanese consumers who used the cloud-based Connected service became vulnerable due to a misconfiguration in the company’s database.

The personal information of 2.15 million consumers was exposed for an unspecified amount of time, according to a caution posted on Toyota’s Japanese website. Company officials stressed that no customer data was compromised, even though there is no proof that anyone ever did anything with it.

Let’s start with the people who were directly impacted. Toyota claims that only clients in Japan were affected. Therefore, if you are located in North America or Europe and have used the Connected service in the last ten years, your information is still safe.

Between January 2012 and April 2023, Toyota thinks that the data of around 2.15 million persons were exposed. The cloud service’s lackluster security, according to a company spokesman, was the root of the issue. Poor security settings allowed anyone to access the information without a password. Since April, when the problem was first discovered, the servers have had adequate protection put in place.

Customers can find their vehicle, get help in an emergency, and receive servicing reminders with the Toyota Connected service. Therefore, no personally identifiable information was exposed via the cloud-based service.

The Japanese automaker, on the other hand, admits that VIN and location data were exposed along with other sensitive information in the compromised database. That is to say, if an adversary had known the vehicle identification number (VIN), they could have tracked the precise location of a target car at any moment. However, it should be noted that the database did not include personal details, so it was not possible to associate the VIN code with a specific Toyota customer using only the disclosed information.

Toyota found that it’s possible that video recorded in vehicles was also leaked. The business acknowledges that this may be more unsettling to certain consumers but stresses that the server only contains recordings made from outside the vehicle. This makes it extremely improbable that a VIN code could be used to identify a specific customer based on a recording.

According to the Japanese automaker, the recordings were left out in the open for about seven years, from November 2016 to April 2023. The corporation claims it is currently conducting an internal review to find out if any more data was accessed inappropriately.

Customers shouldn’t contact Toyota or schedule service appointments because the data breach did not involve personally identifiable information. However, the Japanese automaker claims it will personally call affected customers to explain the breach and disclose what data was compromised.

Toyota claims that all of the vulnerable services, which it identifies as G-Link, G-Book, and Connected, have been patched to prevent unauthorized access. Customers can use them as usual and no longer any need to worry that their data will be compromised.

Because it is difficult to match the disclosed information with customers, hackers are not likely to be very interested in the data. Contrarily, depending on the driver’s location, video recordings could develop into a privacy problem.

A data leak that has persisted for ten years is embarrassing for Toyota, but it also shows that the firm hasn’t learned its lesson. The Japanese automaker admitted to another data breach affecting roughly 300,000 consumers in late 2022. At that point, it was determined that a T-Connect access key that had been available on GitHub for at least five years was to blame.

Following the GitHub publication of the T-Connect site’s source code in December 2017, the exposed data spans the months of January 2018 through September 2022. The code also contained an access key, thereby allowing any outsider to log into the service and view sensitive client information. Toyota inadvertently revealed certain consumers’ email addresses and managerial phone numbers.

Only time will tell if this mistake causes Toyota to beef up its security measures, but at least no major harm has been done so yet. It’s highly improbable that hackers spilled, copied, or otherwise mishandled the disclosed data because of its nature. Toyota says Japanese consumers can contact the business through a special call center if they have more questions regarding the data leak.


Toyota, the Japanese manufacturer, announced on Friday that a data breach affecting more than 2 million automobiles occurred ten years ago in the company’s much-tout. According to Toyota spokesman Hideaki Homma, the issue with the company’s cloud-based Connected service only affected automobiles in Japan between January 2012 and April 2023. The Connected service notifies homeowners of upcoming maintenance inspections, offers access to streaming media, and responds to their needs in the event of an emergency. It can make an emergency call after an accident or track down a stolen vehicle.

As of now no reports of problems as a result of the intrusion. The vehicle identification number (which is different from the license plate). The vehicle’s location and time, and the vehicle’s video footage (called the “drive recorder” in Japan) are at risk. But there is no proof that any information was leaked, copied, or misused. According to Toyota Motor Corp., manufacturer of the Prius hybrid and Lexus premium vehicles, such data cannot be utilized to identify specific owners. A total of 2.15 million vehicles have been compromised, including those of users of the G-Link, G-Book, and Connected online services. Toyota company manages the Connected service in Japan. Homma claimed that no one had realized until recently that access to such data from the outside world should have been disabled.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x