Ooops; v97.129
Cars are an extension of our culture and society. Our persona is reflected in the vehicle we drive.
This can be technologically advanced or somewhat basic in the hardware and software included in the model. One commonality seen with the models over the last estimated ten years has been connectivity.
In the future, these will be connected to each other, the infrastructure, and other sources. One aspect of this now in use is the owner being connected to the vehicle. Each manufacturer has their own app for this. These can be the Audi MMI Connect, AcuraLink, BMW ConnectedDrive, myBuick, myCadillac, myChevrolet, Genesis Intelligent Assistant, and many others.
These are very useful to the vehicle owner now and this is improving with more functionality incorporated into the tool.
With an app, there is a full cycle of testing that generally is done to ensure (to the best of their abilities) the vulnerabilities which are identified through a Threat Assessment and Remediation Analysis (TARA) or other forms and mitigated pre-production. Usually, this process is thorough unless you are there to check the box.
Toyota
Apparently, this process didn't work so well for Toyota.
They had a little issue that came to light recently. There was a data breach with their online service, the Toyota cloud-based connected service (G-Link, G-Book, and Connected).
This service is managed by Toyota Connected Corporation. For over ten plus years, more than 2.15 million vehicles' data was available to unauthorized parties.
The timeframe for this was January 2012 to April 2023.
Good News?
The good news, if there is any, is that only vehicles from Japan during that period were affected, not globally which would have caused much more of an issue.
There also haven't been any issues noted from the data being compromised, which could have taken the form of the data being misused or leaked to third parties. With the ease of data transportability, this could have been much worse.
Risk
Data is the new oil.
The value with this is vast with the data in total, and the many ways you can slice it for the different customers. This includes the Vehicle Identification Number (VIN), vehicle location and time stamp, terminal ID, and video footage.
This may sound innocent enough. After all, what are you going to do with a VIN and vehicle location?
An enterprising person might be able to identify individual owners with the data and footage. They could build a file on the individual vehicle usage and location. If you happen to look into the windshield and take a quick picture of the VIN, the database could be searched for the VIN. With this you have the address, and you can search the tax rolls for the owner's name.
Cause
The cause for this was relatively simple.
The service was left on for outside access for the cloud instance, or it was set to public access instead of private. This was due to the misconfigured database. It was basic human error.
This happens more often than it should. With more companies moving to the cloud in masses, it will continue to happen.
Post-Issue
The corporation set up employee training to increase cybersecurity awareness.
They should have turned this off as soon as it was released to the clients. They will also implement a service to also audit the cloud instance setting to ensure this doesn't happen again.
While we hope it won't occur again, it probably will... again, and again, and again.