Toyota Motor has revealed that customer information in certain countries in Oceania and Asia, excluding Japan, may have been unintentionally exposed to the public from October 2016 to May 2023.
The data that may have been accessed externally includes customers’ names, addresses, phone numbers, email addresses, and vehicle identification and registration numbers.
This incident comes shortly after Toyota’s recent announcement that the vehicle data of 2.15 million users in Japan had been publicly available for ten years due to human error. This affected almost the entire customer base who had signed up for the company’s main cloud service platforms since 2012.
Upon discovering the latest issue, Toyota conducted a thorough investigation into its cloud environments managed by Toyota Connected Corp, following the previous incident. The company stated that the incident was likely caused by inadequate dissemination and enforcement of data handling rules. In response, Toyota has implemented a system to monitor cloud configurations.
The issue arose due to a misconfiguration in the cloud environment where customer data collected by overseas dealers for managing maintenance inspections of vehicles was stored. Toyota is currently investigating the incident in accordance with the laws and regulations of each affected country.
Although the exact number of affected customers and the specific countries involved were not disclosed, it remains unclear if customers of Toyota’s luxury Lexus brand were also impacted. Toyota Connected, in which the automaker holds the majority ownership, offers mobility solutions to individual and business customers. These solutions include features like a smart key function, a 24-hour operator, and services providing location-based route guidance and traffic congestion information.
Toyota has stated that only a portion of customers’ information may have been externally accessible. The company conducted an investigation to determine if any third parties made copies or used the customer data, but no evidence of such use was found. Additionally, vehicle location and credit card information were confirmed to be excluded from the incident.
The company accidentally discovered this incident during routine inspections that commenced on April 7th.
