Toyota leak data

Toyota customer data exposed as dev published key on GitHub

Toyota confirmed that data of almost 300,000 of its customers leaked online after the company’s developer published the source code of the user site on GitHub five years ago.

The world’s largest car manufacturer, Toyota, apologized for leaking the details of 296,019 of its customers since 2017. The leaked data included email addresses and customer management numbers Toyota assigns to each client.

The details leaked via Toyota’s customer-facing app, T-Connect, which allows users to unlock cars, use navigation, inspect vehicle statistics and view other vehicle-related metrics.

Toyota claims that on September 15, the company noticed that parts of the source code of T-Connect were published on GitHub. According to the company, the source code was uploaded almost half a decade ago, in December 2017.

The leaked source code that was accessible for five years contained an access key to the data server that allowed unauthorized access to customer email addresses and customer management numbers stored on the server.

Toyota claims that the responsibility for the mistake lies with the T-Connect website subcontractor, who uploaded the source code to GitHub by mistake, violating contractual obligations to the company.

While customer management numbers are likely of little use to threat actors, hundreds of thousands of emails are not. Cybercriminals automate email-based attacks to send thousands of phishing messages to unsuspecting victims.

“We sincerely apologize for causing great inconvenience and concern to our customers,” Toyota said in a statement.

Earlier this year, Toyota was forced to shut down all of its 14 local factories following a cyberattack on its major electronic components supplier. 28 lines at 14 plants were suspended, along with some other Japanese plants at subsidiaries Hino Motors and Daihatsu Motor.

The incident happened with Kojima Industries, which supplies electronic components and plastic parts to Toyota. The company also confirmed that it had received a message demanding ransom.

Leave a Comment

Your email address will not be published.