Toyota finance business confirms ransomware attack, data breach

(Image credit: Shutterstock)

Toyota Financial Services (TFS), a subsidiary of the popular automaker, has confirmed suffering a ransomware attack.

The company's spokesperson gave a short statement to BleepingComputer, in which they stated that Toyota Financial Services Europe & Africa "recently identified unauthorized activity on systems in a limited number of its locations.”

The company only mentioned unauthorized activity on its endpoints and didn't discuss if any data was stolen. The attackers, on the other hand, claim to have stolen plenty of sensitive information from the firm.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Medusa ransomware

The company took certain systems offline to investigate the attack and reduce the risk of the incident escalating further, the spokesperson continued. “As of now, this incident is limited to Toyota Financial Services Europe & Africa.”

The threat actors behind this incident are known as Medusa Ransomware. The group added Toyota Financial Services (TFS) to its data leak site, claiming to have stolen financial documents, spreadsheets, purchase invoices, hashed account passwords, cleartext user IDs and passwords, agreements, passport scans, internal organization charts, financial performance reports, staff email addresses, and more. A sample of the data was added to the site, as well as a .TXT file with the file tree structure. 

Apparently, many documents are written in German, suggesting that the attackers stole the files from an entity in the central European country. The ransom demand is $8 million, and TFS has 10 days to make up its mind. There is also a possibility to extend the deadline, for $10,000 a day. So far, we don't know if TFS is even considering making the payment. 

Some researchers also speculated how Medusa managed to break into Toyota’s network. In his writeup, security analyst Kevin Beaumont said TFS had unpatched Citrix Gateway endpoints in its German offices, sparking the debate that Medusa abused the CitrixBleed flaw to get in.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.