Toyota has revealed that private information from customers in Japan, as well as other countries throughout Asia and Oceania, was publicly accessible due to two separate incidents.
In the case impacting customers in Asia and Oceania, the carmaker says that some of the files managed by Toyota Connected Corporation in the cloud for overseas dealers’ maintenance requirements and investigation of systems, were actually accessible externally “due to a misconfiguration.”
While the Japanese automaker hasn’t said how many customers are impacted, it says that customer details including addresses, names, phone numbers, email addresses, customer IDs, vehicle registration numbers, and vehicle identification numbers could be accessed externally. This information was available to the public between October 2016 and May 2023.
Read: Toyota Data Leak Left Over 2 Million Owners’ Vehicle Information Exposed For A Decade
Speaking with Reuters, a Toyota spokesperson confirmed that the carmaker is investigating the issue based on the laws and regulations of each country.
As for the second incident, this time limited to Japan, Toyota has revealed that approximately 260,000 customers using the Lexus G-Link connected services have had details about the vehicles available to the public, including vehicle identification numbers, map data updates, and other mapping systems. This leak does not include any data that can be used to identify owners. Information may have been available to view between February 9, 2015 and May 12, 2023.
These two leaks come just a couple of weeks after Toyota revealed that vehicle data of 2.15 million customers in Japan had been publicly accessible between November 2013 and April 2023. The brand believes the two latest incidents were “caused by insufficient dissemination and enforcement of data handling rules” and revealed that since the first leak in mid-May, it has “implemented a system to monitor cloud configurations.”
Toyota says it has found no evidence of the secondary use of information that was available, nor has it found any third-party copies of the information.