Toyota Discloses Decade-long Data Leak
Toyota Motor Corporation has disclosed that a misconfigured cloud environment exposed customer vehicle location data for nearly a decade. The misconfiguration allowed access to the database without a password. The incident affects both Toyota and Lexus owners who enrolled in Toyota’s cloud service platform.
A ten-year Time to Detect really skews your metrics in the wrong detection. The data exposed is not very useful for cyberattacks but does point out two weak points that are often not addressed: (1) supply chain security and (2) misconfiguration of cloud services.
Very few details on this one that we have seen discussed. This could range from an S3 Bucket (or an alternative cloud version of S3) to a Virtual Machine (or Instance) exposed to the Internet with no firewall rules. It’s hard to tell. What is relevant is the statement that they lacked the visibility and detection to notice the gap. They also may not have been penetration testing their cloud environment, so that these items may have never been noticed. Very few details, but they are still very relevant as we see more and more of these types of disclosures by the day. The good news is that tools can help detect and find these in your cloud environments. Hopefully, you have this level of telemetry. If you don’t, look into it. If you do, who is looking at those screens?
This impacted both Toyota and Lexus customers. The lack of a password on the database hints of taking a shortcut to make things work. At some point after the data were moved to the cloud in 2012, the database was marked public rather than private. While painful, it's important to review access control settings on a periodic basis to avoid surprises, as well as going back to revisit workarounds to ensure they didn't add undue risk.
Misconfiguration is the number one vulnerability of cloud tenants. The Center for Internet Security produces several hardened images that are available in the cloud service provider’s marketplace. These secure images are built from many CIS benchmarks. This data leak was entirely preventable.
Read more in
Bleeping Computer: Toyota: Car location data of 2 million customers exposed for ten years