Toyota Financial Services ransom attack exposes customer banking info


Toyota Financial Services (TFS) says personal details, including bank account information, were compromised in last month's ransomware attack claimed by the Medusa ransomware gang.

The European branch of the Japanese automaker’s vehicle financing and leasing subsidiary sent a notice, to affected individuals informing them of the exposure.

On December 5th, TFS has also announced the breach on its website and that “unauthorized persons had gained access to personal data.”

“As announced on November 16th, Toyota Financial Services Europe & Africa has detected unauthorized activity on systems at a limited number of locations, including Toyota Kreditbank GmbH in Germany,” the post stated, translated from German.

TFS handles auto loans, leases, and other financial services to Toyota customers in every continent.

Toyota Deutschland GmbH is an affiliated company held by Toyota Motor Europe (TME) in Brussels, Belgium and located in Köln (Cologne).

The breach notification letter, also sent in German, explains that certain TKG files were accessed during the attack.

Toyota Financial Services breach notice

At this time, TFS can confirm the compromised information of those affected includes first and last names, as well as their residential postal code.

Other contract information that may have been exposed includes “contract amount, possible dunning status, and your IBAN (International Bank Account Number),” the letter stated.

"We regret any inconvenience this may have caused to customers and business partners," TFS wrote.

“It’s not clear how the attackers initially gained access to Toyota’s systems, but with unauthorized access being detected, this could indicate stolen credentials were involved,” said CEO of My1Login Mike Newman.

Data frequently reveals that phishing and credential theft are two of the most common attack vectors used to deploy ransomware, Newman explained.

Newman said the incident is yet another example of “how criminals hold all the power when it comes to ransomware,” adding that for groups like Medusa, the money-making opportunities are endless.

“It doesn’t matter if the organization pays the ransom demand, attackers always have the upper hand as they can still sell the stolen data on, or use it to target victims.”

Newman suggests that removing password based security mechanism from employees and replacing them with modern identity access solutions, would significantly bolster an organization's security defenses.

Meanwhile, it appears the Medusa ransomware group, who first claimed responsibility for the breach on its dark leak site November 16th, has now published all available data.

Toyota Financial Services publish
Medusa leak site. Image by Cybernews.

The criminal operators were demanding $8 million to delete the data allegedly stolen in the attack, providing a sample of 32 documents from 10 separate files.

At the time of this report, more than 6,000 viewers are shown to have visited the Medusa Toyota Financial Services blog post.

Other data previously thought to have been taken from TFS servers includes usernames and passwords, and passport details.

The world’s largest automaker said if “we discover that additional personal data is affected, the unauthorized use of which poses a high risk, we will inform you.”

Medusa grows more effective

Brian Boyd, head of technical delivery at cybersecurity firm i-confidential, named Medusa as “one of today’s most prolific ransomware gangs.”

“It is reassuring that Toyota appears not to have paid the attackers,” Boyd said, but because of Medusa’s capabilities, “victims should be on guard for fraud and identity theft.”

Besides using credential monitoring services to identify fraudulent credit applications, Boyd said victims should also “keep an eye on email accounts, as attackers could also use the data stolen to execute phishing attacks to steal more information.”

“Any emails in relation to the breach must be treated with caution, especially ones requesting personal data,” he added.

This week, the Medusa ransomware gang also took responsibility for cyberattacks on three separate school districts, compromising the personal information of thousand students and teachers.

First observed in 2022, Medusa has attacked at least 119 organizations in the past year, making it into the top five most active ransomware gangs over the past four weeks, according to Ransomlooker, a Cybernews ransomware monitoring tool.

Newman stresses the importance of improving access security to defend against ransomware, suggesting removing password-based security mechanisms from employees and replacing them with modern passwordless security mechanisms, such as multi-factor or single sign-on authentication, including biometrics, security keys, authenticator apps, as well as encrypted security tokens.

TFS said the Toyota Kreditbank systems taken offline in the wake of the attack “have been gradually restarted since December 1st.”


More from Cybernews:

Three states, three school districts, one Medusa ransom gang

US military spaceplane poised for 7th launch, first atop SpaceX Falcon Heavy

Female VCs face major disadvantage: the reality of gender washing in venture capital

Schadenfreude galore: in Naomi Alderman’s “The Future,” the wealthy suck

Europol eyes Bluetooth trackers as a popular tool for crime

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked