Commentary on Toyota breach
August 2024 by Guido Grillenmeier, Chief Technologist, Semperis
The commentary from Guido Grillenmeier, Principal Technologist, Semperis in response to Toyota confirming it was breached.
The Toyota data breach is yet another stark reminder that the world’s largest companies oftentimes have the biggest targets on their backs. There is evidence in this breach that the threat actors targeted the company’s Active Directory, using a scraping tool to elevate their privileges, gather further credentials and information about the network with the goal to extract vast amounts of data. It doesn’t surprise me that the attackers breached one of Toyota’s U.S. dealerships given how vast their footprint is with more than 1,500 locations in the U.S. and 200 global distributors.
The one constant that does exist in cyberattacks is the criminal intent of the threat actors. They are coldblooded and typically motivated by financial gain. Unfortunately, as is the case in approximately 90 percent of cyberattacks, identity system compromise occurs, most often Active Directory or Entra ID, which stores the crown jewels of a business by managing all permissions to a company’s data. Can organisations prevent breaches like this one from happening in the future? The answer is yes, and it does start with having an assumed breach mindset, because let’s face it, breaches will occur, and no public or private organisation is immune or entirely secure.
Today, it is essential to build operational resiliency into your business plans so that when threat actors strike, you can limit disruptions and keep systems running. There’s no silver bullet that will solve the cybersecurity challenges facing organisations. First, identify the critical services that are "single points of failure" for the business. If critical services go down, then Toyota or other organisations could be taken offline. Have a plan for "what to do if". That includes a robust backup recovery and response program to ensure that if they were also victimised and data is encrypted, they can access their backup data.