Executive Summary
Toyota Financial Services (TFS), a global subsidiary of Toyota Motor Corporation, experienced a cyberattack that affected its systems in Europe and Africa. This incident resulted in a data breach that impacted TFS customers. The attack, carried out by the Medusa ransomware gang, exposed sensitive personal and financial data.
Threat actors demanded an $8,000,000 ransom, setting a 10-day deadline for payment. Apparently, Toyota has not negotiated. As a result, stolen data is now available on Medusa’s dark web portal.
What Happened
Last month, TFS confirmed unauthorised access to European and African systems, impacting customer services. Toyota Kreditbank GmbH in Germany admitted to hackers accessing customer data.
Meanwhile, the Medusa ransomware gang claimed responsibility for the attack on November 17, 2023. They threatened to leak stolen data if an $8,000,000 ransom wasn’t paid by November 26, offering a $10,000 per day extension option. Afterwards, Medusa published the stolen data on its Tor leak site.
After Medusa revealed TFS as their victim, security analyst Kevin Beaumont pointed out that the firm’s German office had an internet-exposed Citrix Gateway endpoint. This endpoint had not been updated since August 2023, making it vulnerable to the critical security issue known as Citrix Bleed (CVE-2023-4966). Considering this vulnerability has been actively exploited, Medusa could also be taking advantage of it. Please refer to our following news articles for recent exploits of Citrix Bleed by LockBit:
- [CVSS 9+] LockBit Exploiting Citrix Bleed: Immediate Action Needed
- LockBit Claims Ransomware on India’s National Aerospace Lab
Impact
The cyberattack has significantly impacted TFS and its customers.
The incident has disrupted TFS’s operations, leading to the temporary shutdown of certain systems in Europe and Africa. This disruption has affected their customer services, causing inconvenience and potential financial repercussions for individuals relying on TFS for auto financing.
According to the German news outlet Heise, Toyota has sent notifications to its German customers, informing them that the following data has been compromised: full names, addresses, contracts, lease-purchase details, and IBANs. Subsequently, the compromised data can be utilised for identity theft, financial fraud, and other malicious activities.
Additionally, financial documents, invoices, and passport scans are now accessible on the dark web, increasing the likelihood of fraudulent activities.
In summary, the breach not only poses immediate risks but may also have long-term consequences for Toyota’s reputation and customer relationships.
Response from Toyota
Upon detecting the cyberattack, TFS contained the breach by temporarily shutting down affected systems in Europe and Africa. The company initiated an internal investigation to assess the extent of the compromise and ascertain the specific data accessed by the threat actors.
TFS has been issuing notifications to the customers affected by the breach. German customers, in particular, received notices detailing the compromised data, including full names, addresses, contracts, lease-purchase details, and IBANs. This communication aims to keep customers informed about the situation and urges them to remain vigilant.
The company promises to promptly update affected customers as the internal investigation progresses. While the notification verifies certain compromised data, the ongoing internal investigation may reveal additional information accessed by the attackers. Toyota emphasises its commitment to securing customer data and minimizing the potential impact of the breach.
Additionally, Toyota has gradually restarted its systems since December 1st. The company is actively working to address the aftermath of the cyberattack and enhance its cybersecurity measures to prevent future incidents.
About Medusa Ransomware
Medusa Ransomware, also referred to as MedusaLocker, has been actively targeting large enterprises since at least 2019. It operates as a ransomware-as-a-service (RaaS). Medusa focuses primarily on sectors such as healthcare, education, and enterprises dealing with substantial volumes of personally identifiable information (PII).
Employing a double extortion tactic, the Medusa group first steals victim data before encrypting it. This malicious approach involves threatening to sell or publicly release the exfiltrated data unless the demanded ransom is promptly paid. Notably, the group is known for leaking data from organisations that refuse to pay their ransom demands.
In a concerning incident in 2023, the group targeted a school district in the US and leaked students’ psychological reports as well as abuse allegations. You can find more information about the gang in the security advisory from Sangfor.
- MGM Ends 10-Day Shutdown Amid Cyberattack
- [CVSS 9+] Massive Ivanti Vulnerability Exploits
- [CVSS 9+] CISA Catalog Update: New Citrix and Cisco Vulnerabilities
- [CVSS 9+] Update GitLab Now: Critical Security Alert
- [Zero-Day] Unpatched Flaws Revealed in Microsoft Exchange
- BlackCat’s Comeback Following Recent Disruption