Toyota breach latest

Toyota data breach may have exposed up to 3.1 million customers – not the first time, so what can the company do to reassure its customers? And what data do you hold? Why? For how long and what for?

Toyota has announced its second data breach of 2019 – the first was at its Australian subsidiary and the new breach was announced by the company’s main offices in Japan.

With the new data breach, hackers accessed servers that stored sales information on up to 3.1 million customers. There is an on-going investigation to find out if hackers exfiltrated any of the data they had access to.

Toyota said the servers that hackers accessed stored sales information on up to 3.1 million customers. The list of customers are from Toyota Tokyo Sales Holdings, Tokyo Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla, Nets Toyota Tokyo, Lexus Koishikawa Sales, Jamil Shoji (Lexus Nerima), and Toyota West Tokyo Corolla.

A spokesman said: “We apologise to everyone who has been using Toyota and Lexus. We take this situation seriously and will thoroughly implement information security measures throughout the entire Toyota Group.”

Jonathan Bensen, CISO and senior director of product management, Balbix said: “Toyota’s recent data breaches highlight the fact that global enterprises do not have ample visibility into their massive networks and infrastructure, and therefore are not able to take proper actions to avoid data leaks.”

He also casts doubts over Toyota’s reassurances: “The car maker has made statements to try and reassure affected individuals that financial information was not exposed. Any breach of personal identifiable information is reason enough for customers to be alarmed. Toyota must also understand that sometimes it is not just about the type of data that was breached, it’s also a breach of trust.”

Chris DeRamus, CTO, DivvyCloud raised concerns about Toyota’s security protocols: “Toyota said that they are taking this incident seriously and will thoroughly implement information security measures at dealers and the entire Toyota Group, however there should have been security tools and plans in place already to proactively avoid cyber attacks in the first place. Data is the new oil in our digital era and companies should be doing everything they can to protect it.”

So, what should be done? DeRamus adds: “Global organisations must balance their use of modern technologies (i.e. the cloud for example) that are essential for maintaining a responsible market stance with the need for proper security controls.”

Why does this matter?

Having a data management programme that includes your retention periods is a fundamental obligation under the Data Protection Act. We’ve all enquired, “Can you just give me a quote?” or “Can you lend me a white paper?” in our lives but what are businesses actually doing that with that information?

DLM Group would advise and welcome a top down review of your data management programme including all your policies. Get in touch today.