Toyota database with data from 2 million customers was publicly online for 10 years

Toyota had the database of one of its cloud services online for ten years without a password. The database contains information from more than two million Japanese customers using Toyota’s T-Connect service. Sister brand Lexus is also involved.

It concerns 2.15 million Japanese users. That’s almost all customers who have signed up for T-Connect, or G-Link in the case of Lexus cars, since 2012. “It could be details like vehicle locations and serial numbers of the vehicle devices,” Toyota tells Reuters.

“There was a lack of active detection mechanisms and activities to notice the presence or absence of things going public,” the company further explains in response to the question of how that leak could have persisted for so long. It goes on to say that there have been “no reports of abuse.” The database had been publicly accessible via the internet since November 2013 and that leak was closed in mid-April this year.

In response, Toyota will establish a system for safety auditing and continuous monitoring of such facilities. Employees must also be ‘thoroughly’ taught about the rules surrounding the handling of other people’s data. Finally, the Japanese privacy authority has been informed.

With T-Connect, which also includes smartphone apps, users can navigate, read and plan battery charge, prepare the climate in the car for a journey and call on roadside assistance if necessary. In Europe the service is called MyT.

It is the second time in a short time that Toyota has found itself in such a situation. Last year it emerged that part of the source code from the Toyota Connect website has been available for five years through a public GitHub account. The source code contained a key that provided access to a server containing customer data for 296,000 people. This concerned e-mail addresses and customer numbers.