IOTW: Toyota admits to data breach after access key is posted on GitHub

Car manufacturer Toyota has issued a statement and an apology after it was discovered that third parties may have gained unauthorized access to customer details between December 2017 and September 15, 2022. 

The incident concerns T-Connect, an app which allows customers to connect their phone to their car. Any customers who registered between this period are at risk for their data being accessed, meaning the data for a potential 296,019 customers may have been leaked. The information available for access includes email address and customer management number, but personal or sensitive information including payment card information, name and address were not able to be accessed.

Following a security investigation, Toyota said in a statement that while it “cannot confirm access by a third party based on the access history of the data server where the customer's email address and customer management number are stored, at the same time [it] cannot completely deny it”.

Toyota also said that it will be individually notifying all those who were affected by the breach. Customers can check via a form on its website if their email was involved in the breach and Toyota has set up a dedicated call center to address questions and concerns from customers.

How did the breach take place?

On September 15 of this year, Toyota confirmed that a section of the source code for the T-Connect site had been posted on GitHub, a source code repository, in December 2017. As the source code contained an access key for the server, this may have allowed unauthorized access to customer data for the past five years. 

Toyota believes that the access key was posted mistakenly by a developer after they uploaded it to their profile while it was set to ‘public’, a violation of data handling rules.

The mistake went unnoticed until September. In a statement, Toyota apologized for the oversight, saying that “[it] once again recognize[s] that the proper handling of customers' personal information is an important social responsibility of a company” and that they will make efforts towards rectifying the mistake.

After the breach was discovered, the source code was made private and the access key was reset. According to Toyota, “no secondary damage has been confirmed” due to the leak, however they have warned customers that they may be at a higher risk for spam or phishing emails, and so they should be vigilant in dealing with suspicious emails. 

GitHub supply chain attacks

GitHub itself has had cyber security issues in the past. In August 2022, the site suffered a supply chain attack when a bad actor cloned and added malicious code to more than 35,000 GitHub repositories, while keeping the code’s original source code.

The malicious code allowed the repositories to collect information on the environment they were executed in. This would allow it to accumulate identifying information on the device it was executed on and the user that executed it, as well as having the potential to collect other sensitive data.

The code could also download additional malware from a third-party site that allowed it to further exploit any application or environment that was using the malicious cloned code originally introduced to the GitHub repositories.

The weaponized code could lead to developers accidentally downloading cloned code repositories which contain the malicious code. If used in their applications, this would then lead them to exposing their users to code which includes malware.