Toyota Motor Co. has been hacked again, with Toyota Kreditbank GmbH, the German arm of Toyota’s financial services branch, providing details of a data breach that may have affected customers through Europe and Africa.

The breach, which affected Toyota Financial Services, was initially disclosed in November, with the company taking systems offline as a result. The Medusa ransomware gang subsequently claimed responsibility, claiming on its leaks site that it had stolen financial documents, purchase invoices, hashed account passwords, clear-text user IDs and passwords, agreements, passport scans, internal organization charts, financial performance reports and other company information.

MEDUSA is asking for an $8,000,000 ransom.

Threat Actor: MEDUSA
Ransomware Victim: Toyota Financial
Date: 2023-11-16
Note: Allegedly, #MEDUSA has named #Toyota #ToyotaFinancial as a victim. #Ransomware #StopRansomware #DarkWeb #DarkWebInformer #Leaks #Leaked #Cyberattack pic.twitter.com/2qhIqsvNk7

— Dark Web Informer (@DarkWebInformer) November 16, 2023

Notably, Medusa has since released the stolen information as Toyota declined to pay the ransom demanded.

In a statement published Dec. 5 in German, Toyota Kreditbank GmbH said that the attack occurred on Nov. 16 and involved unauthorized activity on systems at a limited number of locations, including Toyota Kreditbank GmbH in Germany. Along with some basic platitudes about how personal data and protection of customers are high priorities, the only details provided were that “unauthorized persons gained access to personal data.” The company added that all affected customers had been informed and that its systems have been gradually restored since Dec. 1.

Although the attack vector has not been disclosed, Security Week reported that security researchers believed that the ransomware gang may have exploited the Citrix Bleed vulnerabilities. The vulnerabilities, which are found in Citrix Systems Inc.’s NetScaler and NetGateway product lines, were first disclosed in July with attackers subsequently found to be exploiting them in August.

Whatever path taken to infect Toyota’s systems is arguably not as important as the fact that Toyota keeps being hacked. Toyota may not be as bad as serial failed security offenders such as T-Mobile USA Inc. or LastPass, but it does have fairly regular security breaches, whether direct or across its supplier network.

In February, a security researcher revealed that he had gained access to Toyota’s Global Supplier Preparation Information Management System, but fortunately, no damage was done. In October 2022, Toyota warned that nearly 300,000 customers may have had their data stolen it had left access key on GitHub. The same month, data was also stolen from Denso Corp., a global automotive manufacturer based in Japan that is 25% owned by Toyota.

In March 2022, Toyota was forced to halt manufacturing operations at all of its plants in Japan after a cyberattack struck Kojima Industries Corp. and 3.1 million customers were affected when Toyota Motor North America was hacked in 2019.

“The attack on Toyota Financial Services comes in the same year that two other decade-long breaches of the overarching company were discovered,” Dr. Darren Williams, founder and chief executive at ransomware prevention company BlackFog Inc., told SiliconANGLE. “Toyota’s cascading cyber incidents provide a perfect example of why organizations must get ahead of future problems, especially now that cybercriminals know they have a penetrable system.”

Photo: Shuets Udono/Wikimedia Commons