May 31, 2023

Apology and Notice Concerning Newly Discovered Potential Data Leakage of Customer Information Due to Cloud Settings

Announcement

On May 12, Toyota Motor Corporation (TMC) announced "Apology and Notice Concerning Potential Data Leakage of of Customer Information Due to Misconfiguration of Cloud Environment (Japanese only)" Subsequently, we conducted an investigation for all cloud environments managed by TOYOTA Connected Corporation (TC). It was further discovered that a part of the data containing customer information had been potentially accessible externally. We would like to inform you of the incident that has been identified as of today.

As we believe that this incident also was caused by insufficient dissemination and enforcement of data handling rules, since our last announcement, we have implemented a system to monitor cloud configurations. Currently, the system is in operation to check the settings of all cloud environments and to monitor the settings on an ongoing basis. In addition, we will work closely again with TC to explain and thoroughly enforce the rules for data handling. We will also work to prevent a recurrence by thoroughly educating our employees once again. We sincerely apologize to our customers and all relevant parties for any concern and inconvenience this may have caused.

We have also investigated whether, with this incident, there was any secondary use or if third-party copies remain on the Internet, and no evidence of such has been found. At present, we have not confirmed any secondary damage. (Vehicle location, credit card information, etc., are not included in this incident)

The incidents are as follows.

  1. Domestic service incidents in Japan

  • In-vehicle device IDs―identification numbers for each in-vehicle device (navigation terminal)―, map data updates, and updated data creation dates used for distribution data creation of the in-vehicle navigation terminal map data distributing system were potentially accessible externally. (Services using this system have already been terminated)
  • Even if accessed externally, these data alone cannot reveal and identify any individual customer. In addition, these data cannot be used to access or in any way affect the vehicle.
Customer information that may have been potentially accessible externally In-Vehicle device ID, map data updates, updated data creation dates
Map information and its creation date, not vehicle location.
Impacted Customers
  • Customers who subscribed to G-BOOK with a G-BOOK mX or G-BOOK mX Pro compatible navigation system
  • Some customers who subscribed to G-Link / G-Link Lite*1 and renewed their Maps on Demand service between February 9, 2015 and March 31, 2022.
Totalapprox. 260,000 customers
*1 Impacted Vehicles
Vehicle Period of time it was on sale
LS October 2009 - September 2014
GS September 2009 - August 2014
HS July 2009 - July 2015
IS July 2009 - August 2013
IS F December 2007 - May 2014
IS C May 2009 - July 2014
LFA December 2010 - December 2012
SC August 2009 - July 2010
CT January 2011 - December 2013
RX January 2009 - September 2015
Period that the cloud environments were potentially accessible externally February 9, 2015 - May 12, 2023
In principle, the above customer information is automatically deleted from the cloud environment within a short period of time after the map data is distributed and is not continuously stored or accumulated during the above period.

Customers whose information may have been leaked will receive a separate apology and notification to their registered e-mail addresses beginning today. In addition, a dedicated call center will be set up to answer any questions or concerns from customers.

  1. Overseas service incidents

  • Some of the files that TC manages in the cloud environment for overseas dealers' maintenance and investigation of systems were potentially accessible externally due to a misconfiguration. After this matter was discovered, we took steps to block access from outside the company.
Customer information that may have been potentially accessible externally Address, Name, Phone number, Email address, Customer ID, Vehicle registration number, Vehicle Identification Number
For impacted customers, not all but some of the above information is included depending on the inquiry file.
Regions Some countries in Asia and Oceania (Japan is not included)
Period that the site was potentially accessible externally October 2016 - May 2023

We will deal with the case in each country in accordance with the personal information protection laws and related regulations of each country.

Inquiries from applicable customers in Japan (Dedicated Call Center)

Customer information consultation desk
0120-502-435
(Toll-free; Hours: 9:00 A.M. to 6:00 P.M., weekdays, weekends, and holidays)

Please double-check the number before calling

TC publication regarding this matter

https://company.toyotaconnected.co.jp/news/press/2023/0531/ (Japanese only)

RELATED CONTENT

MOST POPULAR