Toyota Investigates Possible Data Leakage Affecting Approximately 260,000 Customers

• Toyota Motor Corporation has identified a potential data leakage affecting around 260,000 customers due to cloud misconfigurations. The leaked data includes in-vehicle device IDs, map data updates, and updated data creation dates, but cannot be used to identify individuals or affect vehicles.
• In addition to the domestic incident in Japan, some files managed by TOYOTA Connected Corporation for overseas dealers’ maintenance and investigation of systems were also potentially accessible. The company plans to address the issue in accordance with personal information protection laws and related regulations in each affected country.

Toyota Motor Corporation (TMC) has identified a potential data leakage incident involving customer information due to misconfigurations in its cloud settings. The issue was discovered during an investigation of all cloud environments managed by TOYOTA Connected Corporation (TC). Following an announcement on May 12, the company discovered that a portion of the data containing customer information had been potentially accessible externally​.

In light of these findings, Toyota has already implemented a system to monitor cloud configurations, with the intention to prevent future incidents. This system will continuously monitor the settings of all cloud environments. Toyota aims to prevent recurrence by thoroughly educating employees about data handling rules and working closely with TC to enforce these rules. The company has apologized to customers and relevant parties for any concern and inconvenience caused by the incident​.

The potentially leaked data includes in-vehicle device IDs, map data updates, and updated data creation dates. Despite the potential external access, Toyota stated that these data alone cannot reveal and identify any individual customer, nor can they be used to access or in any way affect the vehicle. The company confirmed that vehicle location and credit card information were not included in this incident​.

The issue primarily affects customers who subscribed to G-BOOK with a G-BOOK mX or G-BOOK mX Pro compatible navigation system and some customers who subscribed to G-Link / G-Link Lite and renewed their Maps on Demand service between February 9, 2015, and March 31, 2022.

The total number of potentially affected customers is approximately 260,000. The list of potentially affected vehicles includes LS, GS, HS, IS, IS F, IS C, LFA, SC, CT, and RX models sold within specific periods. The cloud environments were potentially accessible externally from February 9, 2015, to May 12, 2023​.

In addition to the domestic incident in Japan, Toyota also discovered that some files managed by TC in the cloud environment for overseas dealers’ maintenance and investigation of systems were potentially accessible externally due to a misconfiguration. This data includes the address, name, phone number, email address, customer ID, vehicle registration number, and Vehicle Identification Number of customers in certain countries in Asia and Oceania, excluding Japan. The period of potential external access ranged from October 2016 to May 2023​.

As a response, Toyota plans to reach out to the potentially affected customers via their registered email addresses. The company also intends to set up a dedicated call center to address any questions or concerns customers may have about the incident​.

The company is currently handling the case in each country in accordance with the personal information protection laws and related regulations of each country.