Toyota’s Accidental Data Leak Exposes 300,000 Pieces of Customer PII On GitHub
By: Jim Stickley and Tina Davis
November 18, 2022
If you drive or have owned a Toyota Motor Corporation vehicle over the past five years, you should know about this recent news. The company announced an accidental data leak was discovered, a leak that lasted nearly five years long. Toyota says nearly 300,000 pieces of their customer’s personally identifiable information (PII) were exposed after being found published on GitHub last month.
According to the company, the data leaks began in December, 2017 and continued until being discovered in September of this year. The source of the leaks, Toyota says, was a subcontractor who accidentally exposed an access key to the data on GitHub.
In Toyota’s online notice about the leak, the company explains “In December 2017, the "T-Connect" website development subcontractor mistakenly uploaded part of the source code to their GitHub account while it was set to be public, in violation of the handling rules.”
According to the company, the exposed data is limited to email addresses and management numbers of those customers subscribed to Toyota’s T-Connect app. The app allows customers to connect to the vehicle’s dashboard “infotainment” system via their smartphone.
Although customer PII can be viewed by third-parties who could abuse the information, Toyota believes other customer PII such as names and credit card information, were not compromised. The company says they currently have no reports of the leaked data being abused, but they also cannot confirm it wasn’t.
Toyota claims they’ve since taken the steps necessary to ensure a data faux-pas like this doesn’t happen again. They are also contacting each customer individually whose PII may have been compromised, including an apology for the accident.
Since we know for sure the leaked data involved email addresses, those whose data was involved should be particularly vigilant about email phishing attempts. Any emails claiming to be from Toyota should be carefully scrutinized, especially those with attachments that can carry malware. Be equally suspect about links in the content that can lead to fraudulent websites designed to steal more PII. Extra caution will keep someone from driving off with your PII.