Toyota Confirms Breach After Stolen Data Leaks On Hacking Forum (bleepingcomputer.com) 7
Toyota confirmed a breach of its network after 240GB of data, including employee and customer information, was leaked on a hacking forum by a threat actor. The company has not provided details on how or when the breach occurred. BleepingComputer reports: ZeroSevenGroup (the threat actor who leaked the stolen data) says they breached a U.S. branch and were able to steal 240GB of files with information on Toyota employees and customers, as well as contracts and financial information. They also claim to have collected network infrastructure information, including credentials, using the open-source ADRecon tool that helps extract vast amounts of information from Active Directory environments.
"We have hacked a branch in United States to one of the biggest automotive manufacturer in the world (TOYOTA). We are really glad to share the files with you here for free. The data size: 240 GB," the threat actor claims. "Contents: Everything like Contacts, Finance, Customers, Schemes, Employees, Photos, DBs, Network infrastructure, Emails, and a lot of perfect data. We also offer you AD-Recon for all the target network with passwords." While Toyota hasn't shared the date of the breach, BleepingComputer found that the files had been stolen or at least created on December 25, 2022. This date could indicate that the threat actor gained access to a backup server where the data was stored. "We are aware of the situation. The issue is limited in scope and is not a system wide issue," Toyota told BleepingComputer. The company added that it's "engaged with those who are impacted and will provide assistance if needed."
"We have hacked a branch in United States to one of the biggest automotive manufacturer in the world (TOYOTA). We are really glad to share the files with you here for free. The data size: 240 GB," the threat actor claims. "Contents: Everything like Contacts, Finance, Customers, Schemes, Employees, Photos, DBs, Network infrastructure, Emails, and a lot of perfect data. We also offer you AD-Recon for all the target network with passwords." While Toyota hasn't shared the date of the breach, BleepingComputer found that the files had been stolen or at least created on December 25, 2022. This date could indicate that the threat actor gained access to a backup server where the data was stored. "We are aware of the situation. The issue is limited in scope and is not a system wide issue," Toyota told BleepingComputer. The company added that it's "engaged with those who are impacted and will provide assistance if needed."
Good time to verify data delation request (Score:5, Interesting)
In May 2023, I submitted a data deletion request to Toyota to delete all of my data while leasing a Prius Prime from 2016 to 2019. When this database comes online in a searchable format, I'll be verifying my data was ACTUALLY removed. If it wasn't and I find my personal information in there, there might be a lawsuit.
Re: (Score:2, Funny)
I don't blame you. I wouldn't want anyone finding out that I leased a Prius either.
Re: Good time to verify data delation request (Score:3)
Good luck with your lawsuit . The privacy laws in the US have no teeth. You may get a $2 coupon towards your next Toyota. And free credit monitoring, if you are lucky.
I should probably check if I'm on the list too. Had a 2001/2007/2011 Prius, before moving to plug-in cars of other brands. Don't think I'll ever own another Toyota after their stupidity with hydrogen cars. They have been left behind.
Re: (Score:1)
Re: (Score:2)
Would you have required him to submit the request to remove the data, BEFORE the data was there?
Only in Europe, you say? (Score:3)
It's hopeless here because the governments of Canada and the United States are utterly dominated by corporations, but maybe the EU will decide to deal with situations like this.
I would love to see legislation providing really significant financial penalties for any company that failed to protect customers' data, with the fines doubled or tripled for any data the company gathered in excess of the absolute minimum needed for a business relationship.