The local automotive industry has been given a wake-up call following the recent Optus hack – the largest data breach in Australian history, in which personal details of 9.8 million customers were stolen.
Toyota Australia has confirmed almost 300,000 customer email addresses involved in a cybersecurity flaw discovered overseas does not affect local customers.
Toyota’s headquarters in Japan issued an apology on Friday, revealing an investigation by security experts found 296,019 email addresses and customer management numbers subscribed to the T-Connect mobile app were at risk – though it couldn’t confirm nor deny whether the information had found its way into the hands of scammers.
In a statement issued to Drive, a Toyota spokesperson said the “T-Connect systems are Japan-based and are not linked to any services we offer in Australia”.
In 2019, Toyota Australia was the subject of an attempted cyber attack – and in March 2022 a cyber attack forced the car giant to temporarily halt production at all 14 of its Japanese factories – though no customer data is believed to have been exposed in either instance.
However, in light of the recent Optus hacking scandal – in which driving licence numbers and passport details were compromised – concerns have been raised regarding what personal information is held by automotive companies, car dealerships, and associated businesses in Australia.
The director of a large Australian novated lease provider – speaking on condition of anonymity – told Drive his company had recently made the decision to remove all sensitive customer information from its IT systems to minimise exposure to a potential hack.
“If Optus can get hacked, we don’t stand a chance,” the executive said, revealing management had sat down with a cybersecurity expert in the days following the telecommunication company’s data breach.
Following the Optus data breach, the Australian Automotive Dealer Association (AADA) sent a bulletin to its members reiterating the importance of cyber security, providing tips on how to help defend their systems from unauthorised access.
However, it is unclear which – if any – car dealerships have policies to delete sensitive licence details after new vehicles have been purchased, or after a service loan vehicle has been returned.
MORE: Tesla’s Model X is vulnerable to hackers and thieves, Belgian researchers claim
Sam ‘Frenchie’ Stewart – CEO of Frenchie InfoSec, and former Infrastructure Security Engineer at a Silicon Valley self-driving car company – said stripping unnecessary information from IT systems was the best way to avoid exposing sensitive data.
“While I always encourage consumers to be mindful about what information they share online, the responsibility here lies with the companies entrusted with the protection of that data,” Mr Stewart told Drive.
“[Canadian-British journalist and author] Corey Doctorow said it best in 2008: Companies need to treat data like radioactive waste – only collect the absolute minimum personal information required, and invest in appropriate safeguards to protect the privacy of their customers,” the cyber security expert told Drive.
“You can’t leak data that you don’t collect, so I would like to see more companies adopting the trend of data minimisation as a means of being proactive about taking consumer privacy seriously,” Mr Stewart added.
The post Toyota data breach: Australia safe for now as car industry gets wake-up call appeared first on Drive.