The personal information of roughly 3.1 million Toyota customers may have been leaked following a security breach of multiple Toyota and Lexus sales subsidiaries, as detailed in a breach notification issued by the car maker today.
As detailed in a press release published on Toyota'a global newsroom, unauthorized access was detected on the computing systems of Tokyo Sales Holdings, Tokyo Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla, Nets Toyota Tokyo, Lexus Koishikawa Sales, Jamil Shoji (Lexus Nerima), and Toyota West Tokyo Corolla.
"It turned out that up to 3.1 million items of customer information may have been leaked outside the company. The information that may have been leaked this time does not include information on credit cards," says the data breach notification.
Toyota has not yet confirmed if the attackers were able to exfiltrate any of the customer personal information exposed after the IT systems of its subsidiaries were breached.
We have not confirmed the fact that customer information has been leaked at this time, but we will continue to conduct detailed surveys, placing top priority on customer safety and security.
"We apologize to everyone who has been using Toyota and Lexus vehicles for the great concern," states Toyota's notification.
Also, "We take this situation seriously, and will thoroughly implement information security measures at dealers and the entire Toyota Group."
This breach comes after Australian Toyota dealers were also targeted by a cyber attack which led to multiple corporate IT systems going down on February 19.
In a statement published two days after the incident that impacted Toyota's Australian dealers, a car maker spokesperson said that:
Our network of 279 dealers is still operational and able to help customers with their enquiries. However, there have been some impacts to parts supply, which is subsequently delaying servicing at some dealerships.
Security experts consider the attacks targeting Toyota's subsidiaries and dealers to be part of a large scale coordinated operation attributed to the Vietnamese-backed APT32 hacking group, also known as OceanLotus and Cobalt Kitty, says ZDNet.
FireEye says that APT32 is targeting "foreign companies investing in Vietnam’s manufacturing, consumer products, consulting and hospitality sectors."
APT32 also targeted research institutes from around the world, media organizations, various human rights organizations, and even Chinese maritime construction firms in the past. [1, 2, 3, 4, 5, 6, 7]
Vietnamese cyber espionage trackers:
Check the @riskybusiness podcast episode (534). A chat with a Toyota Australia dealership employee leads to a reexamination of the impacts & motives of their recent breach.
I agree that #APT32 is targeting auto industry...— Nick Carr (@ItsReallyNick) March 14, 2019
BleepingComputer has reached out to Toyota for comment but had not heard back by the time of this publication.