Toyota Motor, the world's biggest car maker, issued an apology on Friday after disclosing that close to 300,000 customer email addresses and assigned customer numbers were “mistakenly” leaked through a subcontractor.
The Japanese company said customers who had registered their email addresses on the Toyota Connect (T-Connect) app since July 2017 were affected, according to a statement on its website.
The app connects customers to their vehicles through smartphones.
“The email addresses and customer management numbers of some customers who subscribe to 'T-Connect' were found to have been leaked,” Toyota said, with 296,019 cases found.
“We sincerely apologise for causing great inconvenience and concern to our customers.”
The car maker stressed that other information such as names, phone numbers and credit card details was not affected.
The incident occurred after the T-Connect website's development subcontractor — who Toyota did not name — “mistakenly” uploaded part of the source code to its account on GitHub, an internet hosting service owned by Microsoft.
The subcontractor's account was set to public, “in violation of the handling rules”, Toyota said.
“From December 2017 to September 15, 2022, a third party was able to access part of the source code on GitHub,” Toyota said.
“It was discovered that the published source code contained an access key to the data server and by using it, it was possible to access the email address and customer management numbers stored in the data server.”
Data leaks can be costly, have the potential to cause irreparable harm and could tarnish a company's financial and reputational status.
The average cost of a data breach hit a record high of $4.35 million in 2022, which is 2.6 per cent higher than last year, US technology company IBM said in an August report. This is also up by about 13 per cent from 2020.
The car maker said it would begin to send individual notifications and apologies to affected users, and that it had set up a dedicated call centre to answer questions and concerns.
“In addition, we have prepared a special form on our website that allows you to check whether your email address is subject to this campaign,” it said.
Toyota also said that the leaked data could be used by cyber criminals — who could exploit the situation by sending spam or phishing emails to affected users.
However, the company said it had not confirmed any unauthorised use of the data.
“If you receive a suspicious email with an unknown sender or subject, there is a risk of virus infection or unauthorised access, so please do not open the attached file and immediately delete the email itself,” it said.