Threat Watch

Toyota Customers’ Personal Information Potentially Exposed in GitHub Repository

Toyota Kirloskar Motor, a joint venture between Toyota and Kirloskar to facilitate the manufacturing and sales of Toyota vehicles in India, has potentially suffered a data breach. When Toyota’s T-Connect feature was developed in 2017, some of its website source code was unintentionally published on GitHub by a subcontractor working on the project. This code was publicly available from December 2017 until September 15th, 2022, when it was noticed. The repository was then locked, and the keys were modified; however, prior to this, the information of nearly 300,000 Toyota customers may have been exposed. Customer information such as email addresses and management numbers were included in the data that was potentially accessed. Toyota released a statement regarding this incident, a portion of which read, “As a result of an investigation by security experts, although we cannot confirm access by a third party based on the access history of the data server where the customer’s email address and customer management number are stored; at the same time, we cannot completely deny it.” Toyota plans to directly reach out to customers that potentially had their information exposed.

ANALYST NOTES

Although Toyota does not believe data was accessed by an unauthorized party, it is still recommended that those customers remain vigilant for the time being. Since email addresses were included with other exposed data, affected individuals are more vulnerable to scams and phishing attempts. If emails from unknown senders are received, they should not be interacted with. Unusual emails, emails involving payments, or emails involving sign-in links to high value accounts from trusted counterparties should be scrutinized carefully, and direct, independent contact should be made with the trusted counterparty to validate the legitimacy of the communication.

Toyota Discloses Data Breach – Customers’ Personal Information Exposed