Toyota reports that it has fallen victim to a cyber attack. The Japanese car manufacturer is far from finished.

The incident occurred on November 16 at Toyota Kreditbank GmbH, a German branch of the company that prepares financing plans for the purchase of a new car. Hackers from the Medusa ransomware group claim they stole personal data from customers such as invoices, passwords, purchase contracts and ID card scans. The hackers also made this data public because Toyota did not agree to pay the ransom. The sum demanded was eight million dollars, plus an additional ten thousand dollars for each unpaid day.

In the most recent announcement, Toyota itself also appears to admit that customer data was stolen. “An attack on the systems gave unauthorized access to personal data,” says the translation from German into Dutch. Affected customers have been informed and the hacked systems have been back online since December 1st.

Bleeding servers

It’s still a matter of conjecture as to how the attackers broke into Toyota, but Security Week believes it knows more. The attack is said to be due to the Citrix Bleed vulnerability. This vulnerability in various types of Citrix NetScaler servers has been known since July and is being eagerly exploited by attackers. A patch has been available since the end of October. However, unless you delete active user sessions, patching will have little effect.

Not the first time

Whatever happened, the Japanese automaker is far from overdue for this new incident. In March 2022, the company was forced to halt production after an attack on a key auto parts supplier. But sometimes Toyota itself makes big mistakes. Late last year, the company was forced to apologize for allowing the public access to customer information for five years.

Production had to be stopped again in September. This time not after a cyber attack, but because the server memory had reached its limits. All in all, Toyota can hardly be described as a prime example of best IT practices.