Toyota confirmed that customer data was exposed in a third-party data breach after a threat actor leaked an archive of 240GB of stolen data on a hacking forum.
"We are aware of the situation. The issue is limited in scope and is not a system wide issue," Toyota told BleepingComputer when asked to validate the threat actor's claims.
The company added that it's "engaged with those who are impacted and will provide assistance if needed," but has yet to provide information on when it discovered the breach, how the attacker gained access, and how many people had their data exposed in the incident.
One day later, a spokesperson clarified in a new statement shared with BleepingComputer that Toyota Motor North America's systems were "not breached or compromised," and the data was stolen from what appears to be "a third-party entity that is misrepresented as Toyota."
When asked to share the name of the breached third-party entity, the spokesperson said that Toyota Motor North America was "not at liberty to disclose" that information.
Employee and customer data exposed
ZeroSevenGroup (the threat actor who leaked the stolen data) says they breached a U.S. branch and were able to steal 240GB of files with information on Toyota employees and customers, as well as contracts and financial information,
They also claim to have collected network infrastructure information, including credentials, using the open-source ADRecon tool that helps extract vast amounts of information from Active Directory environments.
"We have hacked a branch in United States to one of the biggest automotive manufacturer in the world (TOYOTA). We are really glad to share the files with you here for free. The data size: 240 GB," the threat actor claims.
"Contents: Everything like Contacts, Finance, Customers, Schemes, Employees, Photos, DBs, Network infrastructure, Emails, and a lot of perfect data. We also offer you AD-Recon for all the target network with passwords."
While Toyota hasn't shared the date of the breach, BleepingComputer found that the files had been stolen or at least created on December 25, 2022. This date could indicate that the threat actor gained access to a backup server where the data was stored.
Last year, Toyota subsidiary Toyota Financial Services (TFS) warned customers in December that their sensitive personal and financial data was exposed in a data breach resulting from a Medusa ransomware attack that impacted the Japanese automaker's European and African divisions in November.
Months earlier, in May, Toyota disclosed another data breach and revealed that the car-location information of 2,150,000 customers was exposed for ten years, between November 6, 2013, and April 17, 2023, because of a database misconfiguration in the company's cloud environment.
Weeks later, it found two additional misconfigured cloud services leaking Toyota customers' personal information for over seven years.
Following these two incidents, Toyota said it implemented an automated system to monitor cloud configurations and database settings in all its environments to prevent such leaks in the future.
Multiple Toyota and Lexus sales subsidiaries were also breached in 2019 when attackers stole and leaked what the company described at the time as "up to 3.1 million items of customer information."
Update August 20, 17:09 EDT: Revised article and title based on new information Toyota Motor North America provided.
Comments
nihonmatsu - 8 months ago
It has come to my attention that a third-party data breach involving Toyota customers has been reported by international outlets. However, it seems that major Japanese media and Toyota's official North American website have not yet mentioned this incident. I will be following this situation closely as more info.
AnilPatil_Security - 8 months ago
As per my knowledge, hackers stole information using vulnerability scanning using the open-source ADRecon tool on targeted server Active Directory. As per my data privacy expertise, I found that DLP service is not implemented in Active Directory environments. If the data privacy DLP service is properly implemented in company environments, this situation does not happen.
nihonmatsu - 8 months ago
Thank you for sharing your insights.
It’s true that if hackers used a tool like ADRecon to exploit vulnerabilities in the Active Directory environment, the impact could be severe. However, it’s important to note that data breaches like this can happen even with multiple layers of security, depending on the sophistication of the attack.
Regarding DLP (Data Loss Prevention) services, I agree that proper implementation of DLP within Active Directory environments could help mitigate such incidents by monitoring and preventing unauthorized data transfers. However, implementing DLP in complex environments like large-scale organizations can be challenging, and it often requires a combination of proactive monitoring, real-time alerts, and robust access controls to effectively prevent data exfiltration.
nihonmatsu - 8 months ago
In a new statement to Dark Reading, Toyota North America clarified, "Toyota Motor North America was not the subject of this activity. Contrary to what has been reported, our systems were not breached or compromised. The cited post appears related to a third-party entity that is misrepresented as Toyota. Toyota takes cybersecurity very seriously and we will work to address the concerns of those involved."
a002aa - 8 months ago
<pre aria-label="Translated text" class="tw-data-text tw-ta tw-text-large" data-placeholder="Translation" data-ved="2ahUKEwiL9oOk1o2IAxW4v4kEHefaNnIQ3ewLegQIBxAT" dir="ltr" id="tw-target-text" style="text-align:left">
<span class="Y2IQFc" lang="en">Toyota left Russia and abandoned the plant in St. Petersburg (with all its contents). There you found everything you needed “to connect to servers and download data”! And ADRecon is a "trap" tool for "mommy hackers", created by the "British intelligence agency"!</span></pre>