Toyota Japan exposed millions of vehicles’ location data for a decade

Toyota Japan has apologized after admitting to leaving millions of customers’ vehicle details on the public internet for a decade.

The car maker said in a notice that it will notify about 2.15 million customers whose personal and vehicle information were left exposed to the internet after a “cloud misconfiguration” was discovered recently in April. Toyota said that the exposed data includes: registered email addresses; vehicle-unique chassis and navigation terminal numbers; the location of vehicles and what time they were there; and videos from the vehicle’s “drive recorder” which records footage from the car.

Toyota said the data spilling from its connected cloud was initially exposed in November 2013, but pertains only to vehicles in Japan, according to the company.

The company’s connected service provides Toyota customers with information about their vehicle, provides in-car entertainment services and helps to notify authorities in the event of an accident or breakdown.

Lexus car owners who signed up to the G-Link service are also affected.

Toyota said the data was secured, but has not seen any reports that the data was obtained or maliciously used. It’s not clear if Toyota has the logging in place to detect what, if any, data was exfiltrated from its network. Toyota said in its statement that it would introduce a system to monitor its cloud, suggesting its existing efforts were insufficient.

In 2022, Toyota admitted it exposed about 300,000 customer email addresses for close to five years after a subcontractor inadvertently uploaded part of the company’s source code to the internet. That data included a private key that stored customer email addresses.

Do you know more about the Toyota security lapse? Do you work at Toyota? You can contact Zack Whittaker on Signal at +1 646-755-8849 or zack.whittaker@techcrunch.com. You can also share files and documents with TechCrunch via our SecureDrop.