Auto

Toyota’s Sensitive 240 GB Data Exposed by Third-Party Breach

Toyota has confirmed that a third-party data breach led to the exposure of customer information after a hacker released an archive containing 240 GB of stolen data on a hacking forum.

The company acknowledged the situation, emphasizing that it is a limited issue and not a widespread system problem. Toyota stated they are in contact with those affected and are ready to assist if needed. However, they have not yet provided details on when the breach was discovered, how the attacker accessed the data, or the number of individuals affected.

Later, a spokesperson clarified that Toyota Motor North America’s systems were not directly breached. Instead, the data was stolen from a third-party entity that has been misrepresented as Toyota. The spokesperson did not disclose the name of the third-party entity involved.

The data breach was claimed by ZeroSevenGroup, who stated that they infiltrated a U.S. branch and stole 240 GB of data, including information about Toyota employees and customers, contracts, financial data, and network infrastructure details. They reportedly used the ADRecon tool to collect this data from Active Directory environments.

While Toyota has not specified the date of the breach, it is suggested that the data may have been accessed or created on December 25, 2022, potentially indicating that the threat actor gained entry to a backup server.

This incident follows a series of previous data breaches involving Toyota. In December last year, Toyota Financial Services warned customers that their personal and financial data had been exposed in a data breach caused by a Medusa ransomware attack. Earlier in May, Toyota revealed another breach in which the location data of over 2 million customers was exposed for nearly a decade due to a cloud database misconfiguration. Following these incidents, Toyota implemented an automated system to monitor and secure cloud configurations to prevent future leaks.

In 2019, multiple Toyota and Lexus sales subsidiaries were also breached, resulting in the theft and leakage of up to 3.1 million customer records.

Share
Published by
Saqib Rehman