Toyota confirms some Australian owners affected in unprotected data event

Actually, wait...

Three weeks since it said there was no local impact, Toyota Australia has now confirmed a 'limited number' of its customers are affected by a massive data exposure case initially reported in Japan.

Despite previously stating that Australia’s Toyota Connected Services aren’t linked to the Japan servers and were therefore not impacted by the vulnerability, the local arm has revised its position, following further investigation.

The full statement, followed by our original story, can be found below.

Importantly, Toyota says that while some of its Australian customers are affected by the matter, it has "found no evidence that the data has been accessed".

We may never know the full number of affected owners in Australia, however, with Toyota describing it as only "a comparatively small number".

Unlike a conventional recall, Toyota says it is working to contact affected owners directly rather than issuing a notice with the VINs of vehicles involved in the matter.

Lexus not affected

Toyota's luxury marque Lexus has confirmed with Wheels that while the data leak did affect Lexus owners in Japan, its Australian customers are not affected. However, the brand's local spokesperson did not offer any further insight on how its Australian customers were immune to a leak that affected the wider Toyota business.

The Lexus version of Toyota's connected services launched locally in early 2022.

4

May 18, 2023: Toyota confirms Japan data leak, Australian owners unaffected

Toyota Motor Corporation has confirmed the vehicle data of 2.15 million owners in Japan had been made public since 2013 due to a ‘human error’.

Importantly, the company's local arm has confirmed to Wheels Media that no Australian owners have been affected by this security breach.

The data leak only affects Toyota and Lexus customers in Japan who signed-up for the T-Connect and G-Link connected services respectively.

A Toyota Motor Corp spokesperson told Reuters [↗] that the cloud system was erroneously set to public instead of private between November 2013 to mid-April 2023 – due to a “lack of active detection mechanisms… to detect the presence or absence of things that became public.”

This left details open, such as vehicle locations and identification numbers, but the company claims there have been no reports of malicious use.

4

The world’s biggest automaker – and the best-selling car brand in Australia – said it has opened an investigation under Toyota Connected Corporation and would introduce a system to audit cloud settings, continuously monitor settings, and educate employees on data handling.

Australians not impacted by data leak

Toyota Connected Services launched in Australia last year with the debut of the Corolla Cross small SUV, and has subsequently rolled out to almost all models except the GR 86 coupe.

However, a Toyota Australia spokesperson told Wheels that the data leak doesn’t affect owners locally.

4

“Toyota Australia is informed that the cloud service platforms are Japan-based and not linked to any services we offer in Australia and therefore no Australian customer or vehicle data has been compromised,” the spokesperson said.

The company embeds a Telstra SIM card to enable built-in emergency services calling and a connected smartphone application to monitor the vehicle status, while higher-tier paid subscriptions unlock functions such as remote engine start, remote locking/unlocking, and a connected voice assistant.

A growing number of carmakers are offering similar connected services in Australia, including Hyundai Bluelink, Kia Connect and FordPass Connect, following in the footsteps of Tesla.