An Amazon cloud server left unprotected on the web is responsible for leaking the personal data contained in over half a million accounts owned by a vehicle tracking company.

The Kromtech Security Center recently discovered the goldmine of email addresses, passwords, license plates and VINs belonging to SVR Tracking, a firm specializing in “continuous vehicle tracking, every two minutes when moving.” Only Amazon and SVR know how long the data was left exposed.

Anyone with a valid set of login credentials gained from this leak would be able to determine a vehicle’s precise location history for all of the past 120 days. Kromtech says “there is even an option that will show anyone [logged into an account] the top stops or locations where the vehicle has been”.

The location data was generated by SVR’s (Sorrento Valley Research) tracking devices, discreetly installed in vehicles as part of a subscription service intended to foil theft, monitor employees, and provide notifications of entry into impound lots and other custom defined areas.

In addition,

The leak further exposed 339 logs containing a wide range of vehicle records, including images and maintenance records, as well as documents detailing contracts with more than 400 car dealerships that use SVR’s services.

Vehicle cybersecurity has garnered a lot of attention this year. The US National Highway Traffic Safety Administration released a vehicle cybersecurity position paper, the UK Department of Transport put out its key principles of vehicle cyber security for connected and automated vehicles, and the Security and Privacy in your Car Act (SPY Car Act… haha, boooo) was reintroduced in the US Senate. But, these principles and policies would have done nothing to prevent this data from getting out there – this was the fault of SVR and their developers failing to secure a cloud server resource. It’s the exact same type of data leak that occurred with a toy maker earlier this year, exposing 2 million messages exchanged between children, their parents, and their CloudPets smart toys.

Cars and smart toys are clearly different product types, with different regulatory regimes and different types of personal data collected (location vs children’s utterances). The identical nature of the data leak types illustrates the need for generic data security legislation. IoT-specific regulation such as California’s proposed “Teddy Bear and Toaster” Act is a respectable attempt to raise the bar for security, privacy and notification. However, its specific focus on connected devices would likely have not caused companies to be more internally vigilant with their development processes.

In its 2015 IoT report, the FTC reiterated its call for a generic data security law:

The Commission has continued to recommend that Congress enact strong, flexible, and technology-neutral legislation to strengthen the Commission’s existing data security enforcement tools and require companies to notify consumers when there is a security breach… We emphasize that general technology-neutral data security legislation should protect against unauthorized access to both personal information and device functionality itself.

While there seems to be periodic interest in a Federal level data breach notification law that would preempt numerous related state laws, comprehensive Federal data security law is likely not coming soon.