In another major security breach, Toyota Motor Corporation is warning customers that their personal information may have been accidentally exposed after an access key was publicly exposed on GitHub for nearly five years.
The breach came to light after the Japanese car manufacturer recently discovered that a part of the source code of its “T-Connect” website was erroneously published on GitHub.
The source code also contained an access key to the data server that stored email addresses and management numbers (assigned automatically) of customers who had signed up for the T-Connect website after July 2017.
For the unversed, Toyota’s T-Connect is a connectivity app that allows owners of Toyota cars to track their cars, check their status, control car remotely, and much more using their smartphone or smartwatch.
What Caused The Leak?
According to Toyota, a “T-Connect” website development subcontractor in December 2017 had uploaded part of the Toyota source code on the GitHub repository and wrongly set it to public access.
As a result of the inappropriate handling of the source code by the development subcontractor, the code remained exposed on the internet from December 2017 until September 15, 2022, i.e. the day when Toyota discovered the data breach.
Measures Taken After Discovery
After identifying the data breach n September 15, 2022, Toyota immediately made the source code private on GitHub. On September 17, 2022, the company changed the access key for the impacted data server to prevent all potential access from unauthorized third parties.
Further, Toyota has set up a special page on its website that allows users to check if their email address was affected by the incident. They have also set up a dedicated call center to answer questions and concerns from customers.
Findings
Toyota has not been able to confirm if any third party has used the access key to connect to the server that stored customers’ email addresses and management numbers.
However, it said that no other customer information such as name, phone number, credit card, etc. has been impacted by the incident, as they weren’t stored in the exposed database. Further, email addresses used for Lexus vehicles and MyToyota apps were not affected either.
The company has already started sending out apology letters to over 296,000 impacted customers for the mishandling of customer data.
Recommendations To Customers
Toyota says that while there is no evidence of any unauthorized use of personal information related to the data breach, it is likely that spam emails such as “spoofing” or “phishing scams” using email addresses may be sent to customers.
The company advises impacted customers to stay vigilant against such emails or scams.
The carmaker also recommends customers avoid opening attachments received in an email from an unknown sender and requests to immediately delete such emails.
Additionally, it suggests users be careful while accessing the address (URL) described in the email.
