cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram

Medusa ransomware gang claims data breach of Toyota Financial Services in Germany

Hacking group posts proof-of-hack details, including passports, alongside un-hashed passwords.

user icon David Hollingworth
Thu, 16 Nov 2023
Medusa ransomware gang claims data breach of Toyota Financial Services in Germany
expand image

A ransomware gang is claiming to have exfiltrated a trove of sensitive data from Toyota Financial Services in Germany.

The Medusa gang made the claim on its leak site today (16 November), posting screenshots of several documents to prove the hack is real, alongside a file tree of all the data exfiltrated.

Included in the files are a number of financial documents, numerous spreadsheets, what looks to be payment and refinancing plans, and scans of a Serbian passport.


In particular, one of the documents includes usernames and un-hashed words for several production and development environments, including remote desktop details, SQL servers, and metadata repositories. Access key IDs and secret access keys are also included.

Medusa has also included a brief description of the hack.

“Toyota Motor Corporation is a Japanese multinational automotive manufacturer headquartered in Toyota City, Aichi, Japan,” Medusa’s leak site said. “Toyota is one of the largest automobile manufacturers in the world, producing about 10 million vehicles per year.

“The leaked data is from Toyota Financial Services in Germany. Toyota Deutschland GmbH is an affiliated company held by Toyota Motor Europe (TME) in Brussels/Belgium and located in Köln (Cologne).”

The leak site includes a countdown to when the data will be published completely, in 10 days on 26 November.

Medusa has also published its ransom demand – an impressive US$8 million to either delete the data wholesale or to purchase it and download it immediately. For US$10,000 a day, the gang will extend the deadline for 24 hours.

The file tree of the leak seems to have a large amount of data, including 52 separate backup files, each just over four gigabytes in size. In a folder called Vault, there is a list of files called trustee_quota.export. A folder labelled Personal has a large number of PDF scans of various documents that appear to be work orders and commissions, as well as several passport scans.

There are 10 folders in total and hundreds of gigabytes of data listed.

A spokesperson from Toyota has confirmed an incident took place, and is being investigated.

"Toyota Financial Services Europe & Africa recently identified unauthorised activity on systems in a limited number of its locations," Toyota told Cyber Daily via email. "We took certain systems offline to investigate this activity and to reduce risk and have also begun working with law enforcement. In most countries, we have started bringing our systems back online. We are working diligently to get systems back online as soon as possible and we regret any inconvenience caused to our customers and business partners. As of now, this incident is limited to Toyota Financial Services Europe & Africa. Toyota Financial Services Europe & Africa prioritises the security and privacy of the data we hold and will provide further updates as appropriate."

When asked what data had been impacted, and if stakeholders had been notified, Toyota told us the situation was still evolving.

"To your point about notifications, if TFSE discovers relevant data leakage we will notify our customers immediately in line with legal and data protection requirements."

UPDATED 8.57am AEST, 17/11/23, to add TFSE response.

Comments powered by CComment

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.