Toyota has confirmed another hack of its internal network – the stolen data has already been published

Toyota has confirmed that its corporate network has been hacked after an attacker uploaded a 240-gigabyte archive of stolen data on a hacker forum. According to the company, “the problem is limited in scope and is not a system-wide problem.” The company is cooperating with those affected, but has not yet said how the attacker gained access or how many people were affected by the incident.

Image source: unsplash.com

Cybercriminals from the hacker group ZeroSevenGroup claim that they hacked into a Toyota branch in the United States and stole 240 GB of files containing information about Toyota employees and clients, as well as contracts and financial information. The attackers were able, they say, to obtain information about the network infrastructure, including credentials, using the open source tool AD-Recon, which helps extract huge amounts of information from Active Directory environments.

«We hacked the US branch of one of the largest car manufacturers in the world (TOYOTA). We are very happy to share the files with you here for free. Data size: 240 GB, the criminals wrote in a comment on the hacker forum. – Contents: everything, such as contacts, finances, clients, diagrams, employees, photos, databases, network infrastructure, emails and a lot of ideal data. We also offer you AD-Recon for the entire target network with passwords.”

Image source: BleepingComputer

Although Toyota did not disclose the date of the leak, indirect evidence suggests that the attackers gained access to a backup server that did not contain the latest information, since the stolen files have a creation date of December 25, 2022.

Data breaches due to cybercriminals are plaguing Toyota. Several Toyota and Lexus subsidiaries were hacked in 2019. The attackers stole what the company described as “up to 3.1 million pieces of customer information.”

In October 2022, Toyota reported a possible leak of personal information of about 296 thousand customers of the T-Connect service, a telematics ecosystem for informing car owners via smartphone about the location and condition of their vehicles. The leak affected T-Connect clients registered in the service since July 2017.

Last December, Toyota Financial Services notified customers that their sensitive personal and financial data had been leaked as a result of the Medusa ransomware attack that affected the Japanese automaker’s European and African operations in November.

In May 2023, Toyota reported that the vehicle location information of 2,150,000 customers over a ten-year period, from November 6, 2013 to April 17, 2023, was exposed to the public due to a database misconfiguration in the company’s cloud environment. A few weeks later, two more misconfigured cloud services were identified that had been leaking personal data from Toyota customers for more than seven years.

Following these two incidents, Toyota implemented an automated system to monitor cloud configurations and database settings across all of its environments to prevent similar breaches in the future. Apparently, the measures taken were not enough.