Toyota Confirms Personal and Financial Data Stolen in Nov Ransomware Attack
Toyota customers’ full names, addresses, lease-purchase info, International Bank Account Numbers (IBAN) and contract information were impacted.
- Medusa ransomware gang’s November attack against Toyota saw the threat actor exfiltrate personal and financial information, as acknowledged by Toyota to its customers in a recent letter.
- Toyota didn’t pay ransom to the attacker, who in turn has leaked said data on its Tor leak site.
Japanese automaker Toyota’s Germany-based subsidiary is notifying customers that a recent ransomware attack compromised their personal and financial details. Toyota Financial Services Europe & Africa notified customers on December 7, 2023, two days after publicly acknowledging that the mid-November attack compromised “a limited number of locations,” including Toyota Kreditbank GmbH.
Toyota Financial Services’ letter to customers, obtained by German news agency Heise, notes that customers’ first and last names, addresses, lease-purchase info, International Bank Account Numbers (IBAN) and contract information were impacted. Toyota Financial Services manages sales financing services such as car loans, leases, and more.
Toyota Notification to Customers After Medusa Ransomware Attack
Source: Heise
The cyberattack and resultant compromise and exfiltration of data have been claimed by the Medusa ransomware gang, who, after failing to extract a ransom out of Toyota, has leaked the stolen information on its Tor lear site.
“It is reassuring that Toyota appears not to have paid the attackers, but this does mean victims should be on guard for fraud and identity theft,” Brian Boyd, head of technical delivery at i-confidential, told Spiceworks.
“They should consider using credential monitoring services to identify fraudulent credit applications, but also keep an eye on email accounts, as attackers could also use the data stolen to execute phishing attacks to steal more information. Any emails in relation to the breach must be treated with caution, especially ones requesting personal data.”
See More: Black Hat Europe 2023: Former Uber CSO Weighs if Being a CISO is Worth the Risk
After the breach in November, Medusa shared sample data it exfiltrated from Toyota, consisting of spreadsheets, cleartext user IDs/passwords, staff email addresses, hashed account passwords, financial documents, purchase invoices, agreements, financial performance reports, etc.
Toyota’s investigation is ongoing, so it is possible that the company may apprise customers of additional breach details, such as any other stolen data. Mike Newman, CEO of My1Login, told Spiceworks, “This is yet another example of how criminals hold all the power when it comes to ransomware.”
“It doesn’t matter if the organization pays the ransom demand; attackers always have the upper hand as they can still sell the stolen data or use it to target victims, so the money-making opportunities are endless.”
The Medusa ransomware gang has been active since June 2021, operating under a ransomware-as-a-service model through its affiliate network. It primarily relies on vulnerable Remote Desktop Protocols (RDP) and deceptive phishing campaigns, according to SOCRadar.
“It’s not clear how the attackers initially gained access to Toyota’s systems, but with unauthorised access being detected, this could indicate stolen credentials were involved. If this is the case, it is yet another reminder of the importance of improving access security to defend against ransomware,” Newman added.
“With data frequently revealing that phishing and credential theft are two of the most common attack vectors used to deploy ransomware, the incident reinforces the importance of organizations moving away from password-based security mechanisms and improving their cyber defenses through modern identity solutions, that ensure employees no longer handle, manage or know passwords, so they can’t be stolen or phished from them.”
“Removing passwords from employees closes the door on ransomware [gangs’] most frequently used attack vector and significantly bolsters cyber defenses.”
Medusa ransomware gang’s recent targets include The International Civil Defense Organization, the Sartrouville commune in France, and three U.S. school districts: Glendale Unified School District in California, the Hinsdale School District in New Hampshire, and the Campbell County Schools in Kentucky.
Should Toyota have paid the ransom? Share with us on LinkedIn, X, or Facebook. We’d love to hear from you!
Image source Shutterstock
MORE ON RANSOMWARE
