Toyota Australia customers victim of data breach

Personal information belonging to Australian Toyota owners was unintentionally made publicly accessible, the company has confirmed

Toyota said earlier this month the vehicle data of 2.15 million users in Japan had mistakenly been made publicly available.

While at the time Toyota Australia said local data wasn’t included in this breach, it has since identified this isn’t the case.

“On 12 May, Toyota Motor Corporation confirmed that the vehicle data of some users in Japan had been publicly accessible due to an error in the configuration of a cloud-based database,” the company said in a new statement.

“At the time of that notification, it was our understanding that no Australian data was included but, upon continued investigation, we now know that a comparatively small number of Australian records have been impacted.

“Our investigations have found no evidence that the data has been accessed, and we have concluded that the probability is extremely low that any third party could have accessed it.

“While the data may include vehicle information, as well as some personal information such as names and some contact information, no personal financial details are included.

“Toyota Australia recognises the concern that this may cause to our customers, and we are working to contact directly those impacted to advise them of the situation, and to detail the measures that we have taken to ensure the security of our systems and their data.

“We continue to liaise with Toyota head office in Japan, and we will provide updates should additional information become available.”

Not only was customer information available to the public, the data – from its main cloud service platforms – was viewable for a decade due to human error per a report from Reuters.

The company says this data was mistakenly set to public view, and potentially includes details like vehicle locations and identification numbers of vehicle devices.

“There was a lack of active detection mechanisms, and activities to detect the presence or absence of things that became public,” a Toyota spokesperson told Reuters when asked how the breach went unnoticed for so long.

It began in November 2013 and lasted until mid-April this year.

The company is now investigating all the cloud environments managed by Toyota Connected Corp.

Toyota says it will introduce a system to audit cloud settings, establish a system to continuously monitor these, and educate its employees on secure data handling.

This incident follows a similar breach of T-Connect data which the company confirmed last October.

Toyota said 296,019 email addresses and customer numbers were potentially leaked, affecting customers who signed up for the T-Connect website from July 2017 onwards.