Toyota Italy data leak could compromise customers' sensitive personal information

The sensitive personal information of Toyota Italy’s customers was compromised in a data breach the company suffered last month.

In March, it came to light that Toyota Italy accidentally leaked sensitive information dating back over one-and-a-half years, leaving its customers vulnerable to a barrage of phishing attacks and identity fraud attempts by threat actors.

An investigation by CyberNews revealed that credentials for the company’s marketing tools - Salesforce Marketing Cloud and Mapbox APIs, were exposed. Threat actors could use these credentials to access sensitive customer data such as email addresses and phone numbers, launch marketing campaigns, edit marketing content linked to the cloud, send push notifications to customers, send fake text messages, and create automation scripts. Security researchers added that this file was exposed since May 21, 2021.

Toyota was notified about the leak by CyberNews and acted quickly. It immediately launched an investigation and determined that the vulnerability was caused by a failure to follow its data-security policies. It has since implemented additional safeguards to strengthen its systems.

“Immediately after Cybernews team informed Toyota Motor Italy of a cybersecurity vulnerability in its IT environment, the company took all necessary actions to remedy the situation that was caused by a failure to follow our company data security policies.

“An additional set of countermeasures have been put in place to restore and strengthen our cyber security systems and protocols. We have reported this data privacy risk to the relevant authorities and are fully cooperating with the ongoing investigation,” said Corey Proffitt, a spokesperson for Toyota Motor North America.

Proffitt said the company has extended its area of investigation and is trying to “prevent a recurrence of similar incidents.”

In February, Taiwanese automotive company Hotai Motor also suffered a data leak that exposed the sensitive personal data of users of its car rental service iRent.

The data leak was discovered by cyber security researcher Anurag Sen who found an unsecured database containing iRent customers’ personal information on a Hotai-owned cloud server. As the database was not protected with a password, it could be accessed by anyone with an Internet connection and the right IP address.

According to Sen, the compromised database, which stored 4.2 terabytes of data, contained sensitive personal information of iRent customers, including their full names, cell phone numbers, email addresses, home addresses, copies of their driver’s licences, and partial payment card details.