Toyota Motor (NYSE:TM) Corp has warned its customers about a data leak affecting 296,000 records of customer information compromised through its T-Connect service.
The automobile giant in a statement said that its customers using the T-Connect service, a telematic service that connects vehicles via an online network, could be vulnerable to attacks.
Toyota said: “As a result of an investigation by security experts, although we cannot confirm, access by a third-party based on the access history of the data server where the customer's email address and customer management number are stored, at the same time we cannot completely deny it.”
The leak compromised the email addresses and customer management numbers of customers who have subscribed to T-connect after July 2017.
Toyota has assured that information such as names, phone numbers and credit card numbers were not affected in the attack.
Also, the company has not confirmed any unauthorised use of the data and not relayed any information specific to Australia to date.
Toyota also said that the leaked data could be used by cybercriminals — who could exploit the situation by sending spam or phishing emails to affect users.
What caused the leak?
The leak occurred after a T-connect web development subcontractor “mistakenly” uploaded some of its source code to GitHub, an internet code hosting and collaboration platform and set it to 'public'.
This means that any third party who has a GitHub account had unwarranted access to this part of the source code.
Toyota said: “From December 2017 to September 15, 2022, a third party was able to access part of the source code on GitHub.”
It added: “It was discovered that the published source code contained an access key to the data server and by using it, it was possible to access the email address and customer management numbers stored in the data server.”
What next?
Toyota said that it would begin to send individual notifications and apologies to the affected users and that it had set up a dedicated call centre to answer questions and concerns.
“In addition, we have prepared a special form on our website that allows you to check whether your email address is subject to this campaign,” it said.
Warning its customers of unsolicited emails, the company said: “If you receive a suspicious email with an unknown sender or subject, there is a risk of virus infection or unauthorised access, so please do not open the attached file and immediately delete the email itself.”