Toyota Confirms Personal & Financial Data Stolen in Medusa Ransomware Attack

Toyota’s Germany-based subsidiary is notifying customers that a recent ransomware attack compromised their personal and financial details. Toyota Financial Services Europe & Africa notified customers, after publicly acknowledging that the mid-November attack compromised “a limited number of locations,” including Toyota Kreditbank GmbH.

Related: Toyota Confirms Breach After Medusa Ransomware Threatens to Leak Data

A letter sent by Toyota Financial Services to customers, obtained by German news agency Heise, notes that customers’ first and last names, addresses, lease-purchase info, International Bank Account Numbers (IBAN), and contact information were impacted. Toyota Financial Services manages sales financing services such as car loans, leases, and more.

Toyota Notification to Customers After Medusa Ransomware Attack
Toyota Notification to Customers After Medusa Ransomware Attack

The cyberattack and resultant compromise and exfiltration of data have been claimed by the Medusa ransomware gang, who, after failing to extract a ransom out of Toyota, has leaked the stolen information on its Tor lear site. After the breach in November, Medusa shared sample data it exfiltrated from Toyota, consisting of spreadsheets, cleartext user IDs/passwords, staff email addresses, hashed account passwords, financial documents, purchase invoices, agreements, financial performance reports, etc.

Related: Around 296,000 Customer Info Leaked Via Toyota T-Connect

Since Toyota continues to investigate the incident, the company may notify customers of more breach information in the future, including any new stolen data. According to Mike Newman, CEO of My1Login:

“This is yet another example of how criminals hold all the power when it comes to ransomware. It doesn’t matter if the organization pays the ransom demand; attackers always have the upper hand as they can still sell the stolen data or use it to target victims, so the money-making opportunities are endless.”

The Medusa ransomware gang has been active since June 2021, operating under a ransomware-as-a-service model through its affiliate network. It primarily relies on vulnerable Remote Desktop Protocols (RDP) and deceptive phishing campaigns, according to SOCRadar. Newman goes on to add:

“It’s not clear how the attackers initially gained access to Toyota’s systems, but with unauthorized access being detected, this could indicate stolen credentials were involved. If this is the case, it is yet another reminder of the importance of improving access security to defend against ransomware. With data frequently revealing that phishing and credential theft are two of the most common attack vectors used to deploy ransomware, the incident reinforces the importance of organizations moving away from password-based security mechanisms and improving their cyber defenses through modern identity solutions, that ensure employees no longer handle, manage or know passwords, so they can’t be stolen or phished from them.”

Source: SpiceWorks

Notify of
Inline Feedbacks
View all comments