Two weeks ago, Toyota said it exposed the data of more than two million customers to the internet for a decade. Today, the automotive giant said it recently discovered the data of another 260,000 car owners spilling from its systems.
Toyota said in a statement that it identified another batch of exposed data that was “potentially accessible externally due to a misconfiguration” of its connected cloud service, which allows Toyota customers to get internet services in their vehicles, such as information about their vehicle, in-car entertainment and assistance in the event of a car accident or breakdown.
The carmaker said it learned of the misconfiguration after conducting a wider investigation of its cloud environments after admitting earlier this month that customer data was accessible by anyone from the wider internet.
Toyota said the newly discovered exposed data includes in-vehicle device identifiers and mapping data that’s displayed on the car navigation system of customers in Japan but that the information alone does not contain location information and cannot reveal or identify customers. Toyota customers may be affected if they bought a vehicle as far back as December 2007, and their data was exposed between February 2015 and May 2023.
The carmaker said it would notify with a separate apology customers whose information was exposed.
Toyota also confirmed that an unknown number of customers outside of Japan, specifically in Asia and Oceania, had personal information exposed between October 2016 and May 2023. While the data varies by customer, Toyota said the exposed data may include customer names, postal and email addresses, a Toyota-issued customer identifying number and the vehicle’s registration and identifying numbers. The company said it would notify customers in accordance with local laws.
The company said it has no evidence that the data was accessed or copied, though Toyota did not say what logging, if any, it has to determine if data was exfiltrated from its systems.
TechCrunch has contacted Toyota for more details, but has not yet received a response.