Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Automakers. Show all posts

Toyota Acknowledges Security Breach After Medusa Ransomware Threatens to Leak Data

 

Toyota Financial Services (TFS) announced that unauthorised access was detected on some of its systems in Europe and Africa after the Medusa ransomware claimed responsibility for the attack. 

Toyota Financial Services, a subsidiary of Toyota Motor Corporation, is a global entity that provides auto financing to customers in 90% of the markets where Toyota sells its vehicles. 

The Medusa ransomware gang added TFS to its data leak site on the dark web earlier this week, demanding $8,000,000 to delete data allegedly stolen from the Japanese company. Toyota was given ten days by the threat actors to respond, with the option to extend for an additional $10,000 per day. 

Toyota Finance did not confirm whether data was taken in the attack, but the threat actors say they have files exfiltrated and threaten to release data if the ransom is not paid.

The hackers published sample data, such as spreadsheets, purchase invoices, agreements, passport scans, financial performance reports, internal organisation charts, hashed account passwords, cleartext user IDs and passwords, and more, as proof of the intrusion. 

The file tree structure of all the data that Medusa claims to have taken from Toyota's systems is also included in a.TXT file that they supply. The majority of the documents are written in German, suggesting that the hackers were able to gain access to the systems supporting Toyota's activities in Central Europe.

The Japanese automaker was contacted by BleepingComputer for a comment regarding the leaked data, and a company representative gave the following statement: 

“Toyota Financial Services Europe & Africa recently identified unauthorized activity on systems in a limited number of its locations. We took certain systems offline to investigate this activity and to reduce risk and have also begun working with law enforcement. As of now, this incident is limited to Toyota Financial Services Europe & Africa.” 

The spokesperson informed us that most countries are currently in the process of bringing their systems back online. This information pertains to the status of the affected systems and when they are expected to resume regular operations.

One more breach of Citrix Bleed?

Security analyst Kevin Beaumont brought attention to the fact that the company's German office had an internet-exposed Citrix Gateway endpoint that had not been updated since August 2023, making it susceptible to the critical Citrix Bleed (CVE-2023-4966) security vulnerability earlier today, in response to Medusa's revelation that TFS was their victim. 

It was confirmed a few days ago that the hackers behind the Lockbit ransomware were breaching the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing by means of publicly accessible Citrix Bleed exploits.

It's likely that added ransomware groups have begun to utilise Citrix Bleed, capitalising on the extensive attack surface that is believed to encompass thousands of endpoints.

Automakers can Exploit Your Private Data However They Want

 

It turns out that the answer to the question of which devices have the worst user privacy policies may be waiting for you outside. The Mozilla Foundation said in a report released on Wednesday that cars are "the official worst category of products for privacy" it has ever analysed. 

The global nonprofit discovered that 84% of the reviewed automakers shared user data with third parties, giving users little (if any) control over their personal information. 

The nonprofit organisation's minimum privacy criteria were not met by any of the 25 automakers analysed for the report, including Ford, Toyota, Volkswagen, BMW, and Tesla, which was also discovered to be collecting more personal information from customers than necessary. 

The data that is gathered ranges from personal information, such as medical information, to information about how drivers use the vehicle itself, including how fast they drive, where they travel, and even what music they are listening to.

Both Nissan and Kia are known to permit the gathering of data about a user's sexual life. In comparison, Mozilla claims that 37% of mental health applications (which are also known for having bad data privacy practices) had superior practices for collecting and using private data. 

According to the report, 84 percent of the evaluated car brands share users' personal information with service providers, data brokers, and perhaps dubious companies, with 76 percent claiming the right to sell such information. 56 percent of users are willing to provide information upon request to the government and/or law enforcement. 

With flags in every privacy category, Tesla received the lowest overall brand score in the survey and did so just twice. Following a number of collisions and fatalities, Tesla's AI-powered autopilot was criticised as "untrustworthy."

In addition to the research, Mozilla also released a breakdown outlining how automakers collect and share user data. This can range from basic information like the user's name, address, phone number, and email address to more private information like images, calendar entries, and even specifics like the driver's race, genetic makeup, and immigration status.

Mozilla claims it was unable to confirm whether any of the automakers could adhere to the group's baseline security requirements for data encryption and theft protection. In fact, it claims that compared to autos, dating apps and even sex toys frequently offer more thorough security information about their products. 

“While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines,” stated Mozilla in the report. 

Mozilla claims to have spent more than 600 hours—three times as long per product as it typically does—researching the privacy policies of car manufacturers. The organisation claimed that because of how critical the report was, the recommendations it generally gives to assist clients protect their personal data feel like "tiny drops in a massive bucket." 

Instead, the Mozilla Foundation has launched a petition asking automakers to halt the data collecting initiatives from which they are unfairly profiting, saying that "our hope is that increasing awareness will encourage others to hold car companies accountable for their terrible privacy practises."