The Toyota Motor Corporation recently issued a warning that personal information belonging to its customers may potentially have been exposed following a vulnerability where an access key was made available publicly on GitHub for a period of close to five years.
Data leak discovered
The auto manufacturer’s official connectivity application, Toyota T-Connect, enables Toyota vehicle owners to connect their smartphones with their vehicle’s dedicated infotainment system. This allows it to link phone calls, navigation, music, fuel consumption, notifications integration, engine status, driving data and much more.
However, Toyota recently discovered that a segment of the T-Connect site’s source code was published in error on GitHub and included a dedicated access key for the data server where customer email addresses as well as management numbers were being stored.
As a result, it was possible for an unauthorised third party to gain access to the personal information of 296,019 Toyota customers from December 2017 to September 2022, when the GitHub repository’s access was eventually restricted.
By September 17 this year, the keys for the database were changed, ending all potential access from unauthorised third parties.
The recent announcement from Toyota states that customer names, phone numbers and credit card data has not been compromised in the leak as these details were not stored in the compromised database.
Actions following a data breach
Toyota has now blamed one of its development subcontractors for the mistake but has recognised it is still responsible for the mishandling of its customer’s data and apologised for any possible inconvenience caused by the incident
The Japanese car maker concluded its recent notice with a comment that while no signs exist yet of data misappropriation, it is unable to rule out the unfortunate possibility that an individual has accessed and stolen the customer data.
Toyota data leak notice explained:
“As a result of an investigation by security experts, although we cannot confirm access by a third party based on the access history of the data server where the customer’s email address and customer management number are stored, at the same time, we cannot completely deny it. “
To this end, all T-Connect users who registered during the period of July 2017 to September 2022 are now being advised to remain vigilant against scams like phishing attacks and should avoid opening any email attachments from unrecognisable senders that claim to be from Toyota.
While some threat operators who steal data will use it themselves in their own campaigns, others will sell the information on to other malicious actors. In some cases, a high price tag is attached to such dark web auctions. However, up-and-coming threat groups will sometimes give stolen data away for free to earn kudos.
This kind of security incident is becoming increasingly common and often result in large-scale leaks when troves left unprotected hold a considerable volume of sensitive data. To protect against threats of inadvertent data exposure, cybersecurity experts recommend that all data should be adequately safeguarded using encryption software. Whether information is stolen or simply left openly accessible online, it will remain unreadable when effectively encrypted.