Recent reports claim that Toyota Motor Corporation has warned its customers regarding a data leak that has affected 296,000 records of customer information compromised through its T-Connect service.

The automobile giant has stated that its customers using the T-Connect service could be vulnerable to attacks. T-connect is a telematic service that connects vehicles via an online network.

Toyota further stated that:

“As a result of an investigation by security experts, although we cannot confirm, access by a third-party based on the access history of the data server where the customer’s email address and customer management number are stored, at the same time we cannot completely deny it.”

The data leak compromised the email addresses and customer management numbers of customers who subscribed to T-connect after July 2017. In addition to that, it has assured that information including names, phone numbers, and credit card numbers were not affected by the attack. The company has not confirmed any unauthorized use of the data and has not relayed any information specific to Australia to date. However, the automobile giant said that the leaked data could be used by cybercriminals who want to exploit the situation by sending spam or phishing emails to affect users.

What caused the leak?

The leak actually occurred after a T-connect web development subcontractor uploaded some of its source code to GitHub “mistakenly”. GitHub is an internet code hosting and collaboration platform. What he did was he set it to ‘public’ which means that any third party who has a GitHub account had unwarranted access to this part of the source code.

Toyota further stated that:

“From December 2017 to September 15, 2022, a third party was able to access part of the source code on GitHub. It was discovered that the published source code contained an access key to the data server and by using it, it was possible to access the email address and customer management numbers stored in the data server.”

The company said that it would begin to send individual notifications and apologies to the affected users. Furthermore, it had set up a dedicated call center to answer questions and concerns. The company even warned its customers of unsolicited emails by stating that:

“If you receive a suspicious email with an unknown sender or subject, there is a risk of virus infection or unauthorized access, so please do not open the attached file and immediately delete the email itself.”

So, beware if you receive any suspicious email from any unknown sender. Stay tuned for further updates.

