The trend of data breaches among major brands continues, as both Toyota and Telstra face recent data leaks impacting sensitive records from as far back as 2017.
On 7 October, multinational automotive manufacturer Toyota announced that nearly 300,000 records pertaining to email addresses and customer numbers had been exposed in a security incident.
The company published a public apology on the Japanese section of its global website, informing customers who had signed up for T-Connect, the Toyota's telematics service which connects vehicles to a range of online services, that they may have had their information leaked to hackers.
Toyota said the breach impacts customers who signed up to the service any time after July 2017, with a total of 296,019 cases found to have been leaked.
"We sincerely apologise for causing great inconvenience and concern to our customers," read the translated version of Toyota's apology.
The page went on to detail an apparently inconclusive investigation conducted by security experts, for which Toyota said, "although we cannot confirm access by a third party based on the access history of the data server where the customer's email address and customer management number are stored, at the same time we cannot completely deny it."
"As a result, it was revealed that from December 2017 to September 15, 2022, a third party was able to access part of the source code on GitHub," Toyota said.
Most notably, the published source code contained an access key to an important data server, which, if used, could have enabled an unauthorised third party to access sensitive data such as email addresses and customer management numbers.
So how did the source code wind up publicly accessible on GitHub?
Toyota reports a 'website development subcontractor' mistakenly uploaded a portion of the sensitive source code to their own GitHub account.
This major mistake was left unnoticed until 15 September 2022, indicating the access key, and consequently, the data server, may have been exposed for nearly five years.
The source code on GitHub was immediately made private on the same day it was discovered and the access key was soon after changed but given how long the exposure remained unnoticed, there is a significant possibility of a data breach having already occurred.
Toyota is now cautioning customers to be on the alert for suspicious emails, such as spoofing or phishing scams.
"If you receive a suspicious email with an unknown sender or subject, there is a risk of virus infection or unauthorised access, so please do not open the file attached to the email and delete the email itself immediately."
It is currently unknown as to whether Australian customers are impacted, but for the time being, Toyota owners who have linked their vehicle to online services such as T-Connect are advised to keep a close eye on their inbox for potential correspondence from Toyota regarding the leak.
First Optus, now Telstra
The leaked details consisted of names and email addresses of current and former staff dating back to 2017, a reported 12,800 of which belong to people still employed by Telstra.
A spokesperson at Telstra reportedly said the breach stemmed from a third-party provider related to a staff reward program, rather than a direct hack to the telco itself.
Telstra emphasised it was "not a major cyberattack", stating that internal systems were not breached, and the related third-party platform had not been used for a number of years.
"No customer account information was included, we believe it's been made available now in an attempt to profit from the Optus breach," the spokesperson said.
"The relevant authorities have been notified, we've let current employees know, and while the data is of minimal risk to former employees, we will attempt to notify them too."
In a note to staff on the weekend, Telstra's communications chief Alex Badenoch said, "we understand this may cause some anxiety to our people, particularly in the current climate of heightened awareness around cyber security."
"If you wish to find out more about the breach, or to find out if your email address was exposed, please contact our cyber team," she said.
"In the meantime, we remind you as always to remain vigilant about any unexpected communications."
In related news, as data breaches to major brands like Optus, Telstra, and Toyota continue to dominate the news cycle, the Albanese Government is eyeing legal reforms that may increase fines, as well as impact the amount of time companies can retain personal data.