The incident was traced back to a lack of adequate enforcement and dissemination of data handling rules. In an effort to avoid a recurrence of such an event, Toyota has set up a system to continually monitor the configurations of all its cloud environments. Toyota Connected Corporation (TC), the entity managing these cloud environments, will be working closely with Toyota to ensure full compliance with data handling rules. As an additional measure, employees will receive comprehensive education on data handling protocols.
Fortunately, the investigation has not unearthed any evidence of secondary usage or internet-based third-party copies. No secondary damage has been reported. Vehicle locations or credit card details information were not compromised.
The reported data leakage incident involved two main areas: domestic services in Japan and overseas services.
In the case of overseas services, files managed by TC in the cloud environment for overseas dealers’ maintenance and investigation of systems were potentially accessible externally due to a misconfiguration. The customer information that may have been accessible includes address, name, phone number, email address, customer ID, vehicle registration number, and vehicle identification number.
In Japan, data including in-vehicle device IDs, map data updates, and their respective creation dates might have been externally accessible. This information is used for updating the distribution data for the in-vehicle navigation terminal map data distributing system. However, it’s worth noting that these data pieces alone cannot be used to identify individual customers or in any way compromise vehicle security.
The customers potentially affected by this incident include those subscribed to G-BOOK with compatible navigation systems and some customers who renewed their Maps on Demand service between February 9, 2015, and March 31, 2022. The vehicles impacted were on sale at various times between December 2007 and September 2015. In total, approximately 260,000 customers could be affected.
Countries in Asia and Oceania are the most affected regions, excluding Japan. The potential data leakage period for these countries was from October 2016 until May 2023.
Toyota has assured that affected customers will receive an apology and notification via their registered email addresses. A dedicated call centre will be established to handle any arising questions or concerns.
The situation will be handled in accordance with the personal information protection laws and related regulations of each country involved.
Toyota expressed sincere apologies for any concerns or inconvenience this incident may have caused, reaffirming its commitment to data protection and the safeguarding of its customers’ information.