Toyota has given notice to customers that their data may have been accessed by an unauthorized party after a portion of the source code to their T-Connect software was uploaded to GitHub. The portion uploaded contained an access key to the data server that stored customer email addresses and management numbers. This made it possible for an unauthorized third party to access the details of 296,019 customers between December 2017 and September 15, 2022, when access to the GitHub repository was restricted. Toyota has since changed the databases keys and asserts that all potential access was removed. The announcement explains that customer names, credit card data, and phone numbers have not been compromised as they weren’t stored in the exposed database.
Analyst Notes
Toyota blamed a development subcontractor for the error but recognized its responsibility for the mishandling of customer data and apologized for any inconvenience caused. Leaks such as these are common when developers use third parties to store code. Companies should have preventive measures in place such as the Binary defense Counterintelligence team which searches websites such as GitHub for any accidental software uploads and works to get them taken down quickly. If someone identifies they were a user of the T-Connect function between July 2017 and September 2022, they should be vigilant against phishing scams targeting them.
https://www.bleepingcomputer.com/news/security/toyota-discloses-data-leak-after-access-key-exposed-on-github/
