Toyota disclosed in May 2023 that vehicle data for 2.15 million Toyota and Lexus customers in Japan had been publicly accessible via a misconfigured cloud environment for approximately 10 years (November 2013 to April 2023). The exposed data included vehicle GPS data (location and timing information), vehicle identification numbers, and in-vehicle device IDs. The data was collected through Toyota’s T-Connect telematics service (which provides connected car features including navigation and emergency assistance). The exposure was discovered during a security audit Toyota initiated following an earlier disclosure (in October 2022, Toyota revealed that 296,019 customers’ email addresses and customer management numbers had been exposed since December 2017 through a source code error by a development contractor who had committed access credentials to a public GitHub repository — undetected for nearly five years). The 2023 cloud misconfiguration disclosure — covering 2.15 million vehicles — prompted Toyota to conduct a comprehensive review of all cloud environments, which subsequently revealed additional exposures: in July 2023 Toyota disclosed further cloud misconfigurations potentially affecting up to 9.5 million customers globally across Toyota operations in multiple countries. Toyota apologized and implemented automated security monitoring for cloud configurations. The case became a prominent example of long-running cloud security misconfigurations at major automotive manufacturers.