Toyota confirms data breach as threat actor leaks 240GB of sensitive information

Multinational automotive manufacturer Toyota confirmed that its network was compromised after a threat actor, ZeroSevenGroup, leaked 240GB of data stolen from the company’s systems on a hacking forum. The breach reportedly involved a U.S. branch of the automotive giant, with stolen files containing sensitive information about Toyota employees, customers, contracts, and financial data.

Toyota acknowledged the breach in a statement, emphasizing that the incident is “limited in scope and is not a system-wide issue.” The company assured that it works closely with those affected and will provide assistance as needed. However, Toyota has not disclosed critical details, including when the breach was discovered, how the attacker infiltrated the system, and the number of individuals whose data was exposed.

The threat actor, ZeroSevenGroup, claims to have used the open-source ADRecon tool, which extracts comprehensive data from Active Directory environments, to gather credentials and network infrastructure information. The leaked data reportedly includes contacts, financial records, customer data, network details, and passwords. The threat actor expressed satisfaction in sharing the stolen data on the forum, boasting about the extent of the breach.

Although Toyota has not provided a specific date for the breach, an investigation by BleepingComputer suggests that the files may have been stolen or created on December 25, 2022. This detail implies that the attacker might have accessed a backup server where the data was stored, though this remains unconfirmed by Toyota.

This breach adds to a series of cybersecurity challenges for Toyota. In December 2023, Toyota Financial Services (TFS) warned customers of a data breach involving sensitive personal and financial information following a Medusa ransomware attack that targeted the company’s European and African divisions.

Earlier in May 2023, Toyota disclosed another major data breach that exposed the car-location information of 2,150,000 customers over ten years due to a database misconfiguration in its cloud environment. Subsequent investigations revealed additional misconfigured cloud services that had leaked customer data for over seven years.

In response to these incidents, Toyota implemented an automated system to monitor cloud configurations and database settings to prevent future leaks. Despite these measures, the recent breach underscores ongoing vulnerabilities in the company’s cybersecurity infrastructure. The full impact of this latest breach is still unfolding.