Toyota Kreditbank GmbH, a division of the renowned automaker Toyota, is facing a major cybersecurity threat after a ransomware group known as Medusa claimed to have stolen confidential information and demanded an $8 million ransom. The group has threatened to publish the sensitive documents and data files if the corporation does not meet their ransom demand by November 26th. Toyota has confirmed that they are conducting an inquiry into the situation.
The whole episode revolves around a cloud misconfiguration on Toyota’s servers that potentially compromised sensitive customer data belonging to over two million individuals. This misconfiguration occurred between November 6, 2013, and April 17, 2023, allowing unauthorized parties to access data from customers who had subscribed to Toyota services T-Connect, G-Link, G-Link Lite, and/or G-BOOK between January 2, 2012, and April 17, 2023.
Toyota acknowledged that the cloud misconfiguration was a result of “insufficient explanation and thoroughness of data handling rules”. The company has announced that it will take steps to thoroughly educate employees and prevent a recurrence of such incidents. They are implementing an auditing system for cloud settings, conducting surveys of the cloud environment, and building a system to monitor the setting status on an ongoing basis to prevent further data breaches.
The cyber-attack on Toyota also led to a disruption in their operations in Europe and Africa. Toyota Financial Services Europe and Africa reported detecting inappropriate behavior on some of its sites’ systems, prompting them to take some of the systems offline for further examination. They did not disclose the origin, scope, or nature of the problem but the Medusa ransomware group has claimed responsibility. They have demanded a hefty ransom of US $8 million with a 10-day deadline for Toyota to respond.
Furthermore, Toyota’s internet-accessible systems are affected by the “Citrix Bleed” vulnerability, as reported by cybersecurity experts. This vulnerability has already impacted numerous organizations and governments. The Medusa group, active since 2021, has been known to exploit weak remote desktop protocols (RDP) and phishing campaigns to gain access to systems. They have previously targeted other organizations, including a technology company founded by two major Canadian banks, a Minnesota school district, an Italian water company, and a Philippine government agency responsible for the healthcare system.
Toyota emphasized that they are collaborating with law enforcement and are conducting their own investigation into the incident. They are in the process of reactivating their systems online in most nations, expressing regret for any inconvenience caused to their clients and business associates. They have assured that the incident is currently limited to Toyota Financial Services Europe and Africa and have issued a public apology for the breach.
After conducting a security investigation, Toyota announced that they cannot completely deny or confirm third-party access to the data server containing customer email addresses and management numbers. However, they have promised to personally inform each individual affected by the security breach.
This ransomware incident highlights the growing threat of cyber-attacks on major corporations and the urgent need for stringent security measures to protect sensitive customer data and the company’s operations. Toyota’s swift action in addressing the breach and their commitment to protecting their customers’ privacy is crucial in maintaining trust and ensuring the security of their services in the future.