Automotive giant confirms the breach but clarifies its systems were not compromised, with the stolen data originating from a misrepresented third-party entity
Toyota has confirmed that a third-party data breach led to the exposure of 240GB of customer and employee information, after a threat actor leaked the stolen data on a hacking forum.
“We are aware of the situation. The issue is limited in scope and is not a system-wide issue,” Toyota stated when asked by BleepingComputer to verify the breach. The company further added that it is “engaged with those who are impacted and will provide assistance if needed,” but has yet to disclose when the breach was discovered, the method of the attack, or the number of individuals affected.
A day later, a spokesperson clarified that Toyota Motor North America’s systems were “not breached or compromised,” and the stolen data was taken from what appears to be “a third-party entity that is misrepresented as Toyota.” When asked for the identity of the breached entity, Toyota Motor North America declined to provide further details.
The threat actor, known as ZeroSevenGroup, claimed responsibility for the breach, stating that they infiltrated a U.S. branch of Toyota and stole 240GB of data, including information on employees and customers, contracts, financial details, and network infrastructure data. They allegedly used the ADRecon tool to extract extensive information from Active Directory environments, including credentials.
“We have hacked a branch in the United States belonging to one of the biggest automotive manufacturers in the world (TOYOTA). We are really glad to share the files with you here for free. The data size: 240GB,” ZeroSevenGroup declared on the forum. They claimed the data included contacts, financial information, customer details, employee records, network infrastructure, emails, and other critical data.
While Toyota has not specified the exact date of the breach, BleepingComputer discovered that the files were either stolen or created on 25 December 2022. This could suggest that the threat actor accessed a backup server where the data was stored.
This incident follows several other data breaches Toyota has experienced in the past year. In December, Toyota Financial Services (TFS) warned customers that their sensitive personal and financial data was exposed due to a Medusa ransomware attack affecting its European and African divisions. Earlier in May, Toyota disclosed a breach that exposed the car-location information of 2,150,000 customers over a decade due to a misconfigured database in the company’s cloud environment. Additional misconfigured cloud services were later found to have leaked customers’ personal information for over seven years.
In response to these incidents, Toyota implemented an automated system to monitor cloud configurations and database settings across all its environments to prevent future leaks.