
Toyota has been hacked again, but not by a hacker but by a security researcher.
Eaton Zveare a researcher said that he gained access to Toyota’s Global Supplier Preparation Information Management System in October. The system is a web app used by Toyota employees and their suppliers to coordinate projects, parts, surveys, purchases, and other tasks related to the global Toyota supply chain.
Administrator access was gained through a backdoor as part of a user impersonation feature. Zveare had read and write access to the system’s global user directory of more than 14,000 users. The access included confidential documents, projects, supplier rankings and comments, and other internal information.
The bug was disclosed to Toyota in November and the company subsequently fixed the issue in a timely manner.
When compared to LastPass, T-Mobile, Marriott, Toyota was better, but it does have fairly regular security breaches, whether direct or across its supplier network. Then there was the time in October when it left access keys on GitHub.
In earlier instances, Toyota was forced to halt manufacturing operations at all its plants in Japan after a cyberattack struck a major component supplier. The supplier, Kojima, was directly connected to Toyota production control system and there was concern that the attack could also spread to Toyota’s system.
The same month, data was stolen from Denso Corp., a global automotive manufacturer based in Japan that is also 25% owned by Toyota. The Pandora ransomware gang claimed responsibility and said it had stolen 1.4 terabytes of data belonging to Toyota.
Organizations should only provide employees and third parties with access to the data needed for their role. This helps to control what data can be accessed in the event of a breach.
Image Courtesy : Bloomberg