Toyota Financial Services attack claimed by Medusa ransomware


Toyota Financial Services (TFS), the Japanese automakers’ vehicle financing and leasing subsidiary, was recently hit by a disruptive cyberattack. The Medusa ransomware gang has just taken responsibility for it.

Earlier this week, TFS Europe & Africa said the company “identified unauthorized activity on systems,” which forced the company to take some systems offline.

“We are working diligently to get systems back online as soon as possible, and we regret any inconvenience caused to our customers and business partners,” TFS said, adding that the incident is limited to Europe & Africa.

While the company did not identify the nature of the attack, TFS was likely hit with ransomware, as it‘s been listed on the dark web leak site that Medusa uses to showcase its latest victims.

Toyota cyberattack
Toyota Financial Services posted on Medusa's blog. Image by Cybernews.

We’ve contacted the TFS European branch but the company did not want to comment anything past what was already said in the official statement.

"The security of personal information and the protection of our customers is a priority for TFS, and at this time, our investigation is ongoing," TFS told Cybernews.

The attackers claim to have breached TFS’s Germany branch. The gang included data supposedly taken from TFS servers, such as leasing contracts, email addresses, usernames and passwords, passport details, and other sensitive data.

TFS is a financial subsidiary of the Toyota Motor Corporation, the world’s largest automaker. TFS handles auto loans, leases, and other financial services to Toyota customers in every continent.

Medusa‘s dark web blog post suggests that the gang demands $8 million to delete the data allegedly stolen from TFS.

Earlier this week, Medusa said it had hit the prominent Canadian fintech Moneris. However, the company told Cybernews that the attackers had only “attempted” an attack and did not succeed.

The Medusa ransomware gang began operating around the end of 2022 and has been consistently active. According to Ransomlooker, a Cybernews ransomware monitoring tool, Medusa has attacked at least 119 organizations over the past 12 months.

Medusa ransomware is believed to be operating under the Ransomware-as-a-Service (RaaS) model, where threat actors with limited technical skill use malware devised by sophisticated developers. Affiliates later share ransom money with the developers.