Pierluigi Paganini December 11, 2023

Toyota Financial Services (TFS) disclosed a data breach, threat actors had access to sensitive personal and financial data.

Toyota Financial Services (TFS) is warning customers it has suffered a data breach that exposed sensitive personal and financial data.

“Due to an attack on the systems, unauthorized persons gained access to personal data. Affected customers have now been informed. Toyota Kreditbank’s systems have been gradually restarted since December 1st.” reads a statement published by the company on its website.

Toyota Financial Services (TFS) is the finance arm of the Toyota Motor Corporation. It is a subsidiary of Toyota and provides a range of financial services to Toyota customers and dealerships worldwide. TFS offers various financial products, including auto loans, leases, and insurance solutions. The goal of TFS is to support Toyota customers in financing their vehicles and to facilitate the purchase or lease of Toyota vehicles through flexible and tailored financial options. The services provided by Toyota Financial Services may vary by region, and customers can typically access these services through Toyota dealerships or online platforms.

German website Heise obtained the data breach notification sent by Toyota to German customers. The company told them that threat actors gained access to full names, residence addresses, contract information, lease-purchase details, and IBAN (International Bank Account Number).

Toyota Financial Services warns its German customers to remain vigilant and contact their bank to take additional security precautions. They should monitor unusual activities and obtain a current credit report from Schufa.

Toyota also notified the data protection officer for North Rhine-Westphalia about the security breach.

On November 17, 2023, the Medusa ransomware gang claimed responsibility for the attack and threatened to leak the purportedly stolen data if the company doesn’t pay the ransom.

The ransomware gang initially demanded a payment of $8,000,000 to delete data allegedly stolen from the company, and they offered the option to extend the deadline for an additional $10,000 per day.

Medusa Toyota set the deadline for November 26 and published a sample of the stolen data as proof of the hack.

Leaked sample data includes financial documents, invoices, hashed account passwords, passport scans, and more. The documents are in German, a circumstance that suggests that they have been stolen from company systems located in Germany.

The popular cyber security expert Kevin Beaumont first noticed that the company office in Germany had a vulnerable Citrix Gateway exposed online. Threat actors likely exploited the vulnerability Citrix Bleed to gain initial access to the company’s network.

The Medusa group has now published the stolen data on its Tor leak site.

Impacted customers are at risk on fraudulent activities, including identity theft and financial fraud.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, TFS)