Strange But True: Horror Stories of Cybersecurity
1. Japanese automaker Toyota said approximately 260,000 customers’ data was exposed online due to a misconfigured cloud environment. Along with customers in Japan, data of certain customers in Asia and Oceania was also exposed.
This breach is a clear violation of the Japanese Act on the Protection of Personal Information (APPI). It will be interesting to see how the Personal Information Protection Commission holds the world’s largest auto manufacturer responsible. In 2020 an amendment to the APPI increased fines to 1 million Yen ($71K USD) for individuals and 100 million Yen ($714K USD) for businesses. As of today, Toyota’s market cap is $235B USD, so even if Toyota is fined the maximum penalty under the law, it’s still a rounding error on a rounding error.
2. “We sincerely apologize to our customers and all relevant parties for any concern and inconvenience this may have caused,” Toyota said in a statement.
Well, that’s nice of them. Too bad the hackers don’t care, won’t care and will still use the stolen data to commit other types of fraud in the future.
3. Toyota has also confirmed that there was no evidence of any secondary use or third-party copies of data remaining on the Internet. “At present, we have not confirmed any secondary damage,” Toyota said.
Um…exqueeze me? Baking powder? So let me see if I got this right…data was exposed from February 2015 to May 2023. That’s what…eight years’ worth of customer PII and they are saying there is no evidence of downstream fraud?! Remember what Carl Sagan said – the absence of evidence is not the same thing as the evidence of absence. I don’t know how they can make this claim, but it sounds…um…like creative marketing.
Recommended by LinkedIn
4. The address, name, phone number, email address, customer ID, vehicle registration number, and vehicle identification number of certain customers in Asia and Oceania were potentially exposed externally. This data was exposed from October 2016 to May 2023.
All protected data elements under APII. Could you imagine if this happened to Volkswagen or Ford? The fines would be astronomical. Under GDPR, fines are 20M Euro or 4% of global annual turnover (revenue) - whichever is less. In their 2022 annual report, Volkswagen reported 279B EUR in global revenues, 4% of which would be $11B EUR. That seems like a bit steeper fine than the $700K fine Toyota is facing.
5. Last year in October, Toyota reported that customers’ personal information may have been exposed externally after an access key was publicly available on GitHub for almost five years.
OK, so this is not a mom and pop. This is world’s largest automobile manufacturer with $273B USD in global annual revenue. They have budget for cybersecurity, they probably have armies of cybersecurity personnel, and they probably have the best technology money can buy. But STILL, they suffer breach after breach for the past eight years exposing the PII form hundreds of thousands of customers.
I have said many times that cybersecurity is a people problem – not a technology problem and certainly not a finance problem (ie…you can’t throw money at it). Misconfigurations, vulnerabilities, missing patches and poor IT hygiene are all caused by humans. Companies will continue to suffer breaches like this, just like they have for the past 30 years, if they don’t take a different approach. Work with experts, train like you fight, and iterate. Cheesy as is sounds, cybersecurity is a journey, not a destination. And yet another breach at Toyota tells me their journey is nowhere near at its end.
Postillion - technology strategy governance and policy pilot and guide
1yGreat to see you writing this stuff again.
Project Manager
1yThis is why it’s so important to be proactive versus reactive with ensuring security mechanisms and programs are in place!
IT Manager MAPI | CEH v12 - Certified Ethical Hacker | Pentester | VAPT| Former Client Analyst
1yReally appreciate to write.
The Advertorial Ace brings you more leads and sales
1yYet another example of "it happens to others; it can't happen to me," which is the terrible attitude of most that cyber security professionals face, daily.
Regional Sales Manager at Splunk
1yGood and quick read! Looking forward to future issues.