At the close out of March 2023, Toyota Italy reported it had been leaking sensitive data for over a year. The consequence of this was to expose Toyota clients’ sensitive information. The firm exposed secrets for its Salesforce Marketing Cloud (a provider of digital marketing automation and analytics software and services) and Mapbox APIs (used to query map data).
Toyota Italy is a major producer of automotive vehicles, selling between 71,000 and 91,000 cars per year.
With this latest example of corporate data breaches, the Toyota case shows that far more needs to be done in order to keep sensitive data secure. This is drawn out in a response from Mark Shainman, Senior Director of Data Governance Products at Securiti. Shainman outlines the weaknesses to Digital Journal.
Shainman begins by outlining which areas have been impacted by the car producers insecure data handling practices: “Toyota clients’ phone numbers and email addresses are among the exposed information. Unauthorized disclosure of sensitive data could lead to fines, legal action, reputational harm, financial losses, and other major repercussions for the brand.”
As to what the loss of data means, Shainman draws out: “The main long-term impact of a data leak caused by an authorized disclosure could very well be the loss of customers’ trust – ending in catastrophic business losses.”
In terms of the implications, Shainman is direct: “For the safety of customers’ data and regulatory reasons, enterprises must maintain up-to-date and implement holistic security, privacy, and compliance reports.”
The issue also carries legal ramifications, as Shainman points out: “This breach falls under the General Data Protection Regulation (GDPR) which provides laws on data protection and privacy. Serious violations can result in a fine of up to €20 million or 4 percent of a firm’s annual revenue from the preceding year, depending on what is higher. So the fines can be huge for a firm like Toyota if they are found to be negligent and at fault.”
Not all GDPR infringements lead to data protection fines. Supervisory authorities can take a range of other actions, including:
- Issuing warnings and reprimands;
- Imposing a temporary or permanent ban on data processing;
- Ordering the rectification, restriction or erasure of data; and
- Suspending data transfers to third countries.
In terms of preventative measures for corporate consideration, Shainman states: “Large companies that have millions of customers across the world must consistently conduct data breach assessments to gain real-time insights into what threats they face, ensure the deployment of proper countermeasures and understand what obligations various regulations in different regions place on them.”