Toyota ransomware attack breached personal data

ransomware

Toyota Financial Services (TFS), the finance division of the international automobile giant Toyota, recently publicized an unauthorized intrusion into its systems, leading to a significant data breach. The incident resulted in the exposure of sensitive personal and financial information of TFS customers.

TFS is an integral part of the Toyota Motor Corporation, providing an array of financial services to Toyota customers and dealerships globally. As a subsidiary of Toyota, TFS aims to facilitate the purchase or lease of Toyota vehicles with flexible and personalized financial options, including auto loans, leases, and insurance solutions. The services TFS offers may differ by region and are typically accessible through Toyota dealerships or online platforms.

Initial Discovery

TFS detected a system breach following a claim from the Medusa ransomware group, who asserted to have successfully compromised the financial division of the renowned Japanese automaker. The company responded by taking certain systems offline to contain the breach, thereby impacting customer services.

The cybercriminals managed to gain access to customer’s full names, residence addresses, contract information, lease-purchase details, and International Bank Account Numbers (IBAN). Such data can potentially be exploited for phishing, social engineering, scams, financial fraud, and even identity theft attempts.

Medusa’s Ransom Demand

The Medusa ransomware group demanded a ransom payment of $8,000,000 to delete the stolen data, providing Toyota with a 10-day window to respond to their blackmail. Disappointingly, it appears that Toyota did not negotiate with the cybercriminals, and subsequently, all the stolen data was leaked on Medusa’s extortion portal on the dark web.

Since its first sighting in June 2021, Medusa Ransomware (or MedusaLocker) has been on the radar of cybersecurity experts. Operating under the Ransomware-as-a-Service (RaaS) model, the Medusa Ransomware group collaborates with global affiliates, making its reach and impact even more widespread.

Medusa Ransomware is not just another name in the long list of ransomware threats; it is a multifaceted menace. Each encrypted file, bearing a variety of extensions, reminds us of the numerous snakes that crowned the Gorgon’s head. The most prominent among these is the unmistakable “.MEDUSA” extension, a signature mark of this ransomware’s venomous touch.

Impact on Toyota Kreditbank GmbH and Customer Notification

Toyota Kreditbank GmbH, a division in Germany, was identified as one of the impacted divisions. The company had to admit that hackers had gained access to its customers’ personal data, further intensifying the severity of the data breach.

In an attempt to manage the crisis, Toyota started notifying its customers about the breach, informing them about the compromised data. The company advised its German customers to remain vigilant and contact their bank to undertake additional security precautions.

Ongoing Investigation

While the company verifies the compromised data based on its ongoing investigation, the internal examination is not yet complete. There remains a possibility that the attackers accessed additional information. Toyota has pledged to update affected customers promptly should the internal investigation reveal further data exposure.

The Medusa group proceeded to publish the stolen data on its Tor leak site. The leaked sample data included financial documents, invoices, hashed account passwords, passport scans, and more, which were primarily in German. This indicates that the data was mainly stolen from company systems located in Germany.

Response from Data Protection Officer

Impacted customers are now at a higher risk of fraudulent activities, including identity theft and financial fraud. The data breach has undoubtedly shaken the trust of Toyota’s customers and stakeholders.

Toyota also notified the data protection officer for North Rhine-Westphalia about the security breach. As the investigation is still ongoing, it remains to be seen what further steps will be taken to mitigate the effects of this significant data breach.

If you liked this article, we advise you to read our previous article about JAXA’s Cyberattack. Follow us on Twitter and LinkedIn for more content.

Stay up to date with exposed information online. Kaduu with its cyber threat intelligence service offers an affordable insight into the darknet, social media and deep web.