Toyota informed customers that their personal data may have been stolen via a press release (Japanese).

The personal information of roughly 3.1 million Toyota customers may have been leaked following a security breach of multiple Toyota and Lexus sales subsidiaries.

This is the second breach at the company in five weeks. While the first incident took place at its Australian subsidiary, this breach was announced by the company's main offices in Japan.

The company said hackers breached its IT systems and accessed data belonging to several sales subsidiaries.

The list includes Toyota Tokyo Sales Holdings, Tokyo Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla, Nets Toyota Tokyo, Lexus Koishikawa Sales, Jamil Shoji (Lexus Nerima), and Toyota West Tokyo Corolla.

Toyota said the servers that hackers accessed stored sales information on up to 3.1 million customers. The carmaker said there's an ongoing investigation to find out if hackers exfiltrated any of the data they had access to.

This is the second cyber-security the company has announced this year, after disclosing a similar incident in late February, but affecting its Australian branch.

The attack on its Australian office was more disruptive in nature, bringing down Toyota Australia's ability to handle sales and deliver new cars, and has been attributed by some industry experts to APT32 (OceanLotus), a Vietnamese cyber-espionage unit with a known focus on the automotive industry. They are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists.

APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros. Upon execution, the initialized file downloads multiple malicious payloads from remote servers. APT32 actors continue to deliver malicious attachments via spear-phishing emails.

APT32 actors designed multilingual lure documents which were tailored to specific victims. Although the files had “.doc” file extensions, the recovered phishing lures were ActiveMime “.mht” web page archives that contained text and images. These files were likely created by exporting Word documents into single file web pages.

Experts suggested that APT32 hackers might have targeted Toyota's Australia branch as a way to get into Toyota's more secure central network in Japan.

At the time, Toyota declined to confirm any of these theories and attribute the attack to APT32 hackers.

Since at least 2014, FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. Furthermore, there are indications that APT32 actors are targeting peripheral network security and technology infrastructure corporations.

Business must take actions to protect itself. The U.S. Department of Homeland Security explicitly tells us that we are NOT prepared for today’s attacks.

Organizations can choose to be low-hanging fruit, making it easy for hackers to focus on them or do things properly to fend off attackers.

Prevention is crucial. Every company must take these steps:

1. Cybersecurity training must be done regularly.
2. Auditing and documentation must be performed regularly to ensure systems are secure.
3. Anomaly detection should be running constantly to detect threats as they emerge.
4. Penetration testing shows if systems can easily be reached from the outside. Here is a case where this test might have saved two company’s’ reputations from being destroyed.
5. Network forensics for when a breach eventually occurs. The bad guys always seem to get in eventually.
6. An action plan to follow when a breach does occur. Once it happens, few will have the clear heads needed to “wing it” correctly. Equifax botched it’s response in what is being called a PR catastrophe.
7. Use phishing simulation which tests employees by sending safe phishing emails. Employees who click are quickly trained on what to avoid.

Protect your organization – even if you have internal IT, hire an experienced MSP or MSSP.

If you do get infected, be sure to hire an MSP with forensic experience who can handle the problem and get you back and running as soon as possible.