Toyota has confirmed the vehicle data of 2.15 million users in Japan had mistakenly been made publicly available.
Not only was this information available to the public, the data – from its main cloud service platforms – was viewable for a decade due to human error.
The company says this data was mistakenly set to public view, and potentially includes details like vehicle locations and identification numbers of vehicle devices.
Toyota has confirmed there have been no reports of malicious use, while its local arm says no customers have been affected.
“Toyota Australia is informed that the cloud service platforms are Japan-based and not linked to any services we offer in Australia and therefore no Australian customer or vehicle data has been compromised,” said a Toyota Australia spokesperson.
“There was a lack of active detection mechanisms, and activities to detect the presence or absence of things that became public,” a Toyota spokesperson told Reuters when asked how the breach went unnoticed for so long.
It began in November 2013 and lasted until mid-April.
The issue affected owners of both Toyota and Lexus vehicles using T-Connect and G-Link connectivity services, including those who signed up for features like emergency dialling.
The company is now investigating all the cloud environments managed by Toyota Connected Corp.
Toyota says it will introduce a system to audit cloud settings, establish a system to continuously monitor these, and educate its employees on secure data handling.
This incident follows a similar breach of T-Connect data which the company confirmed last October.
Toyota said 296,019 email addresses and customer numbers were potentially leaked, affecting customers who signed up for the T-Connect website from July 2017 onwards.