Toyota confirmed that customer data was exposed in a third-party data breach after a threat actor leaked an archive of 240GB of stolen data on a hacking forum.
“We are aware of the situation. The issue is limited in scope and is not a system wide issue,” Toyota told BleepingComputer when asked to validate the threat actor’s claims.
The company added that it’s “engaged with those who are impacted and will provide assistance if needed,” but has yet to provide information on when it discovered the breach, how the attacker gained access, and how many people had their data exposed in the incident.
One day later, a spokesperson clarified in a new statement shared with BleepingComputer that Toyota Motor North America’s systems were “not breached or compromised,” and the data was stolen from what appears to be “a third-party entity that is misrepresented as Toyota.”
When asked to share the name of the breached third-party entity, the spokesperson said that Toyota Motor North America was “not at liberty to disclose” that information.
Employee and customer data exposed
ZeroSevenGroup (the threat actor who leaked the stolen data) says they breached a U.S. branch and were able to steal 240GB of files with information on Toyota employees and customers, as well as contracts and financial information,
They also claim to have collected network infrastructure information, including credentials, using the open-source ADRecon tool that helps extract vast amounts of information from Active Directory environments.
“We have hacked a branch in United States to one of the biggest automotive manufacturer in the world (TOYOTA). We are really glad to share the files with you here for free. The data size: 240 GB,” the threat actor claims.
“Contents: Everything like Contacts, Finance, Customers, Schemes, Employees, Photos, DBs, Network infrastructure, Emails, and a lot of perfect data. We also offer you AD-Recon for all the target network with passwords.”
While Toyota hasn’t shared the date of the breach, BleepingComputer found that the files had been stolen or at least created on December 25, 2022. This date could indicate that the threat actor gained access to a backup server where the data was stored.
Last year, Toyota subsidiary Toyota Financial Services (TFS) warned customers in December that their sensitive personal and financial data was exposed in a data breach resulting from a Medusa ransomware attack that impacted the Japanese automaker’s European and African divisions in November.
Months earlier, in May, Toyota disclosed another data breach and revealed that the car-location information of 2,150,000 customers was exposed for ten years, between November 6, 2013, and April 17, 2023, because of a database misconfiguration in the company’s cloud environment.
Weeks later, it found two additional misconfigured cloud services leaking Toyota customers’ personal information for over seven years.
Following these two incidents, Toyota said it implemented an automated system to monitor cloud configurations and database settings in all its environments to prevent such leaks in the future.
Multiple Toyota and Lexus sales subsidiaries were also breached in 2019 when attackers stole and leaked what the company described at the time as “up to 3.1 million items of customer information.”
