Toyota has confirmed that a data breach involving a third-party vendor exposed sensitive customer and employee information, according to a report from tech-focused media “Bleeping Computer” on Monday.
The breach was made public when a hacker group leaked 240GB of stolen data on an underground forum, the report indicates.
According to Toyota, the breach is limited to external systems and does not impact Toyota’s own network. The automaker said that its internal systems, including those of Toyota Motor North America, were not compromised.
Instead, the stolen data appears to have come from a third-party entity misrepresented as Toyota.
The data exposed includes sensitive details about Toyota employees and customers, along with contracts and financial information.
The hacking group “ZeroSevenGroup” claimed responsibility, boasting about their access to a significant amount of data, including network infrastructure information and credentials extracted using open-source tools.
“We have hacked a branch in the United States of one of the biggest automotive manufacturers in the world,” the group stated. “We are sharing the files for free, which include contacts, financial details, customer information, employee data, and more.”
While Toyota has not yet disclosed when the breach occurred or how it was accessed, BleepingComputer said that the stolen files were created on December 25, 2022.
This is not the first time Toyota’s data has been compromised. In December 2023, Toyota Financial Services reported that sensitive personal and financial data was compromised due to a Medusa ransomware attack.
Earlier in the year, a data breach revealed that car-location information for over 2 million customers was exposed due to a cloud database misconfiguration.
In response to the breaches, Toyota has implemented an automated monitoring system to better manage cloud configurations and prevent future leaks.
Despite the measures, the company has faced continuous security challenges, including breaches of Toyota and Lexus sales subsidiaries in 2019, which resulted in the exposure of up to 3.1 million customer records.