The bigger the company, the more opportunities there are for hackers to breach the security on their system and wreak havoc. Toyota found that out this year when it suffered three attacks in six months, stealing both data and money. The first attack was on Toyota Australia when, on 21 February, the company stated that they had suffered a malware attack. No data was accessed, but the company’s website, phone, and email were disabled for a few days. Staff were sent home, and car deliveries were disrupted while Toyota worked with cybersecurity experts to repair the damage.1
The second attack was more serious. This time it involved Toyota Japan, and the attack led to a data breach that stole up to 3.1 million items of customer data from Toyota and Lexus, including names, addresses, and birth dates and employment information. While it appears that no credit card details were stolen, the data leaked could still leave customers open to the threat of identity theft.2 It seems that two of Toyota’s subsidiaries in Thailand and Vietnam also experienced an information breach during the same attack, and this has led to speculation from experts in cybersecurity that those responsible for both this attack and the Australian one may have been a Vietnamese hacking organization known as APT32.3 However, no further details have been forthcoming from Toyota.
The third and most recent attack targeted Toyota’s European subsidiary, Toyota Boshuku, which sells interior components for the cars. On August 14, it fell victim to a Business Email Compromise (BEC) scam, in which an employee was tricked into sending around 4 billion yen ($37.3 million) to an unauthorized third party.4 BEC relies on the trust employees have in their employers so that any email that looks like it comes from management will immediately be acted upon without question. If the fraudsters can engineer an email that looks identical to those usually sent from company bosses, they can request the targeted member of staff to send either money or confidential information to wherever the criminal wishes.
In the case of all three attacks, Toyota has not been very forthcoming on details, apart from to say, in relation to the latest incident, that it would ‘disclose any amendments to the released March 2020 earnings forecast if this incident makes such revision necessary’.5
All of these breaches show that there were weaknesses in Toyota’s cybersecurity, which hopefully they have now addressed. The motor industry is an emerging target for cybercriminals, not just through the manufacturers’ networks but also through the cars themselves. Vehicles are becoming smarter, with more technology that relies on the internet, as well as users’ blue tooth devices and smartphones that connect to the car. All of these things offer areas that hackers can exploit to steal personal data, listen in on conversations, and even control specific systems within the vehicle itself, such as the engine, steering, and locking mechanism. Some manufacturers have already been trying to address these issues, most usually by isolating the infotainment system from the rest of the network, but many are still woefully underprepared. A survey carried out by SAE International and the Synopsys Software Integrity Group in February 2019 found that 30% of their respondents did not have any cybersecurity protocols and that 63% ‘test less than half of the automotive technology they develop for security vulnerabilities’.6
Whether it is an attack on an automotive company’s data or their products, both its reputation and customer information are incredibly vulnerable. So far, there have been no disasters or severe compromise from in-car technology, but it can only be a matter of when and not if. All auto manufacturers need to take a good look at their cybersecurity awareness programs, or lack thereof. Technology is one side of the equation, but it must also invest in a robust cyber educational awareness program that enhances the knowledge of every employee. It is the easiest, fastest and lowest cost way to reduce risk.
- ‘Toyota Australia Says No Customer Data Taken in Attempted Cyber Attack,’ The Guardian, 02/20/2019, accessed at https://www.theguardian.com/business/2019/feb/21/toyota-australia-says-no-customer-data-taken-in-attempted-cyber-attack
- Sydny Shepard, ‘Toyota and Lexus Dealerships Hacked, Millions Left Vulnerable,’ Security Today, 04/02/2019, accessed at https://securitytoday.com/articles/2019/04/02/toyota-and-lexus-dealerships-hacked-millions-left-vulnerable.aspx
- ‘Toyota Data Breach Affects Millions’, Compliancy Group, 04/18/2019, accessed at https://compliancy-group.com/toyota-data-breach-affects-millions/
- Phil Muncaster, ‘Toyota Subsidiary Suffers $37m BEC Loss,’ Infosecurity, 09/10/2019, accessed at https://www.infosecurity-magazine.com/news/toyota-subsidiary-suffers-37m-bec/
- Rene Millman, ‘Toyota’s European Subsidiary Loses £30 in the BEC Scam’, SC Media, 09/09/2019, accessed at https://www.scmagazineuk.com/toyotas-european-subsidiary-loses-30-million-bec-scam/article/1596033
- ‘Synopsys and SAE International Release New Study Highlighting Critical Cybersecurity Risks in the Automotive Industry,’ Synopsys, 02/06/2019, accessed at https://news.synopsys.com/2019-02-06-Synopsys-and-SAE-International-Release-New-Study-Highlighting-Critical-Cybersecurity-Risks-in-the-Automotive-Industry