> and were able to steal 240GB of files with information on Toyota employees and customers, as well as contracts and financial information,
> They also claim to have collected network infrastructure information, including credentials, using the open-source ADRecon tool that helps extract vast amounts of information from Active Directory environments.
> One day later, a spokesperson clarified in a new statement shared with BleepingComputer that Toyota Motor North America's systems were "not breached or compromised," and the data was stolen from what appears to be "a third-party entity that is misrepresented as Toyota."
I wonder if the third party entity is Microsoft and it was their Azure AD, exchange, sharepoint, onedrive, etc that was accessed. If so it's an interesting word choice to use to try to dodge responsibility and criticism.
I don't know why companies think that if a third party is breached and steals their data from them, said company somehow is any less culpable.
If you give your data to a third party, you are still fully responsible for the security of that data. Don't trust the third party? Don't give them the data.
If anything it looks worse somehow… it takes it out of the “maybe they made a technical screw up, after all IT isn’t really a core competency for Toyota” into the “are they good at evaluating the parties they do business with?”
I don’t expect Toyota to be very good at IT. But I expect them to somehow figure out if they are working with incompetent or evil third parties, because they also buy airbags and brakes from third parties, so like, they should be good at evaluating their vendors.
I mostly agree for data given. With carve outs for data that is necessary for something. For a silly example, recall back when Amazon was hiding information in their emails so that they wouldn't be sharing purchase information with third parties.
It sucks, because I don't necessarily know how you could codify the difference here. If you said that Amazon was sharing customer emails and purchases with a third party, that is indeed suspicious as heck. When you restate that they email you receipts with this information, it sounds a lot different. Indeed, it was very inconvenient when they didn't do that.
This is also why most hospitals have that ridiculous, "you have a new message on the portal" emails. Which are so infuriating.
You put something in a storage locker with a key. Someone nefarious asks you for the key, and steals your things out of the storage locker. Then you blame the storage locker for unlocking to your key.
Sounds more like a third party MSP for Toyota Motors NA based on the basic AD misconfigurations.
It's also highly likely that Toyota Motors NA contracted out IT work to said third-party, as is the norm at most non-Software companies because IT is a cost center (just like how Payroll and Accounting tends to be contracted out at Software companies).
Snowflake got hit by a similar incident when Polish (edit: Ukrainian) EPAM contractors' laptops were compromised [0], leading to a massive breach org-wide and for dozens of F1000s
It's not a data breach so much as company negligence and liability in exposing customers to fraud. The company is wholly responsible and should have severe punitive damages applied to their business.
Even as a Toyota fanboy (which this seems to be a 3rd party not Toyota directly) I agree with you that companies need to be held accountable because what we’re doing now (nothing) doesn’t seem to be working, however I’d caution you about just making this a financial liability for them and ask you to step back and think critically.
If you make this a financial liability, they (any company) are going to purchase insurance like anything else and then offset that cost to the customer - so you’ll just end up paying for it anyway.
Toyota’s costs don’t determine the prices Toyota can charge, and if the expected costs of adding a widget exceed the benefits you can be fairly sure they won’t add the widget.
Fine, in that case companies that take security seriously and/or have frugal data collection and retention policies will be more affordable than their competitors, since their premiums will be cheaper.
The insurers will cotton on to the fact that companies with good data protection practices, like data minimization and auditing+pentesting your suppliers, pose a lower risk, and they will price that into the insurance products.
To companies taking out insurance, this can look like being denied coverage unless you have evidence of good practices.
But criminal statutes for gross negligence would probably also help.
Insurability and a company's willingness to buy insurance depends on if courts or legislators make it a slap on the wrist that's just a cost of doing business or a real existential liability. Make the penalty steep enough and the only option is to stop the behavior.
I feel data breach is no longer qualified as news these days, it pops up here and there regularly for a long while now, nobody is safe.
my identity has been in the wild for a few years and someone even used my identity to do credit card, buy phones and get new driver licenses, even claim IRS tax refund.
nowadays I check my accounts daily, that's the only thing I can do, to monitor things closely, I mean, on a daily basis, what else can I do.
don't mention the credit alert etc, the impostor set that up before me, they had everything about me, and yes I got letters that my info was leaked multiple times over the years.
I still remember how much I was seething about the Equifax breach back in 2017. In fact, it still makes me angry today!
I’ve been part of so many data breaches by now - some of them from companies I’ve never interacted with, just because another company shared my data with them. That was the moment I realized that I just can’t trust corporations with my safety and went on the defensive.
Which reminds me, I still need to find a way to set up a new phone number for each company that requests it.
I worked for Toyota in the UK once upon a time. They used CDK Drive for their Dealer Management System. Could that be the 3rd party culprit? Couldn't have happened to a nicer company ,lol.
> They also claim to have collected network infrastructure information, including credentials, using the open-source ADRecon tool that helps extract vast amounts of information from Active Directory environments.
> One day later, a spokesperson clarified in a new statement shared with BleepingComputer that Toyota Motor North America's systems were "not breached or compromised," and the data was stolen from what appears to be "a third-party entity that is misrepresented as Toyota."
I wonder if the third party entity is Microsoft and it was their Azure AD, exchange, sharepoint, onedrive, etc that was accessed. If so it's an interesting word choice to use to try to dodge responsibility and criticism.
reply