Over the past six months, Toyota Motor Corporation has been the victim of a series of data breaches in Australia, Thailand, Vietnam and Japan. The latest data breach in Japan is the most serious in nature, impacting the personal information of as many as 3.1 million customers. Thus far, the automaker says that the Toyota data breach has been contained, and that there is no evidence that cyber attackers have been able to exfiltrate any personal information for nefarious purposes. Still, the fact that cyber incidents continue to occur across Asia-Pacific has led some cybersecurity experts to speculate that the attacks could be coming from cyber-espionage units located in the region.
The Toyota data breach in Japan
According to a Toyota data breach notification, the cyber attack within Japan occurred at eight different Toyota sales subsidiaries or their affiliates, including independent Toyota and Lexus car dealerships located in Tokyo. The Toyota data breach notification specifically listed the following units as having been compromised by third-party attackers: Toyota Tokyo Sales Holdings, Toyota Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla and Lexus Koishikawa Sales.
The true extent of the cyber attack appears to be limited to “unauthorized access” of the automaker’s computer systems, and not to the actual exfiltration of any personal data. According to information in the Toyota data breach notification, personal information that was exposed to unauthorized access included name, birth date and employment information. However, as Toyota notes, no customer credit card information was exposed.
For now, it appears that Toyota has contained the damage from the security incident. In the Toyota data breach notification, the company noted that it took the event seriously, and was already busy implementing enhanced security measures at its automotive dealers, as well as across the entire Toyota Motor Corporation. Moreover, the company noted that Toyota Motor North America (TMNA) is monitoring the situation, and has thus far found no evidence that customers in the United States have been compromised by this data breach.
Other Toyota data breach incidents
This cyber incident in Japan comes fast on the heels of a similar type of cyber attack in Australia that occurred in February. The cyber attack on Toyota Australia (the company’s Australian subsidiary) resulted in disruptions to ongoing operations. It made it difficult to handle sales, as well as to deliver new cars.
Earlier Toyota data breaches also occurred in Asia. For example, in mid-March, Toyota Motor Corporation noted that it had detected unauthorized access on servers in both Thailand and Vietnam. This hacking in Vietnam is what has raised the prospect that a dedicated Vietnamese cyber-hacking and cyber-espionage group known as APT32 (aka “OceanLotus” and “Cobalt Kitty”) may be behind the series of attacks. In the past, APT32 has been linked to large-scale hacking attacks conducted on automotive companies.
So why are hackers specifically targeting large automakers like Toyota? Dan Tuchler, CMO of SecurityFirst, noted that these automakers are rapidly increasing the amount of data they are collecting on customers, which is expanding the potential attack surface. “As cars continue to incorporate in-car Wi-Fi, voice-based assistants, and automated driver assist, there will be a much larger digital footprint stored on a car maker’s servers. Who knows what kind of customer data will be stored, or what hackers can do with it? These car makers need to step up their attention to security, and lock down the data on their servers to prevent future attacks on their customers’ data.”
Earlier cyber security issues at Toyota
The start of the automaker’s data breach problems can be traced back to August 30, which is when a Toyota data breach was first detected on the corporation’s email system. At that time, the concern was that an unauthorized third party could have had access to the personal health information (PHI) of 19,000 Toyota employees. In response to this Toyota data breach, the company immediately put into place a range of security measures, including multifactor authentication, security monitoring enhancements and mandatory password protection and reset policies.
According to Byron Rashed, Vice President of Marketing at Centripetal, there are several possible reasons for these sustained attacks: “Breaches occur for many reasons. Compromised credentials, poor patch management, overburdened IT security teams, the shortage of cybersecurity professionals, and the lack of enforcement, or lack thereof of corporate cybersecurity policies. Utilizing a combination of automated tools and HUMINT, organizations can greatly increase their cybersecurity posture and reduce risk.”
Implications of the Toyota data breach incidents
These Toyota data breach issues highlight the difficult of any large enterprise in protecting its personal information and personal data from attack by third parties. It is not out of the realm of possibility that the Toyota data breach in Tokyo is related to the Toyota data beach in Australia, and that hackers may have found a way into the corporation’s most secure computer systems by first hacking into the corporate-wide email system. That might be one reason why Toyota Motor North America (TMNA) has been quick to comment on the incidents, and to reassure U.S.-based Toyota customers that the Toyota data breach has not yet impacted operations in North America, and that there has been no compromise of TNMA systems.
For now, it appears that Toyota has taken every information security measure possible to contain the damage from unauthorized access. In fact, even security experts would have to admit that the company, by announcing the data breach even when there is no evidence that customer data has been compromised, is following the strictest possible transparency procedures. At this time, Toyota appears to have fully addressed the issue.
Going forward, though, this series of cyber incidents at Toyota should be ample warning to other automakers around the world that they need to be doing more to protect customer data. According to Colin Bastable, CEO of Lucy Security, the reason for the attacks probably has more to do with the automaker’s intellectual property (IP) than with hackers trying to monetize customer data. “I expect that Toyota’s Japanese customers are collateral damage in an attempt to steal Toyota’s intellectual property,” say Bastable. “Toyota’s response, saying that they will implement additional security measures, reminds me of the recent Airbus attack and their similar remedial approach to cyber security.”
In short, all businesses that hold valuable IP or customer data should assume that they will be attacked. It’s no longer a question of “if,” but “when.” Hacker collectives are becoming much more sophisticated in how and why they target companies, especially those with far-flung global operations. All companies must now make cyber security a top concern, or risk some very adverse consequences as well as potential fines from regulators.