Investigator Gains Unauthorized Access to Toyota Supplier Database Containing Data on 14000 Associates

Toyota's Global Supplier Preparation Information Management System (GSPIMS) was recently breached by a security researcher who responsibly reported the issue to the company. GSPIMS is a web application that allows employees and suppliers to remotely log in and manage the firm's global supply chain. The researcher, who goes by the pseudonym EatonWorks, discovered a backdoor in the system that allowed anyone to access an existing user account as long as they knew their email address. After testing the vulnerability, the researcher found that he could access thousands of confidential documents, internal projects, supplier information, and more. The issues were reported to Toyota on November 3, 2022, and the car maker confirmed that they had been fixed by November 23, 2022. EatonWorks published a detailed writeup about the discoveries after the 90-day disclosure process had passed. Toyota did not compensate the researcher for responsibly disclosing the discovered vulnerabilities. The researcher found that by modifying the JavaScript for certain routes and functions, he could unlock access to the app. He then discovered that the service was generating a JSON Web Token for password-less login based on the user's email address. By Googling Toyota employees or performing OSINT on LinkedIn, the researcher was able to find a regional admin account. From there, he was able to escalate to a system administrator account by exploiting an information disclosure flaw in the system's API. With a system administrator account, the researcher was able to access sensitive information like classified documents, project schedules, supplier rankings, and user data for 14,000 users. A malicious actor could have silently gained access to Toyota's system and then copied data without modifying anything, making it difficult to detect. It is unknown if this has already happened, but there have been no massive Toyota data leaks, so it is assumed that EatonWorks was the first to find the login bypass flaw. This disclosure follows a string of breaches, data leaks, and other vulnerabilities discovered over the past year.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 07 Feb 2023 16:00:04 +0000


Cyber News related to Investigator Gains Unauthorized Access to Toyota Supplier Database Containing Data on 14000 Associates

Investigator Gains Unauthorized Access to Toyota Supplier Database Containing Data on 14000 Associates - Toyota's Global Supplier Preparation Information Management System (GSPIMS) was recently breached by a security researcher who responsibly reported the issue to the company. GSPIMS is a web application that allows employees and suppliers to remotely ...
1 year ago Bleepingcomputer.com
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
1 week ago Aws.amazon.com
Toyota warns customers of data breach exposing personal, financial info - Toyota Financial Services is warning customers it suffered a data breach, stating that sensitive personal and financial data was exposed in the attack. Toyota Financial Services, a subsidiary of Toyota Motor Corporation, is a global entity with a ...
9 months ago Bleepingcomputer.com
Toyota confirms breach after Medusa ransomware threatens to leak data - Toyota Financial Services has confirmed that it detected unauthorized access on some of its systems in Europe and Africa after Medusa ransomware claimed an attack on the company. Toyota Financial Services, a subsidiary of Toyota Motor Corporation, is ...
10 months ago Bleepingcomputer.com
Toyota Germany Says Customer Data Stolen in Ransomware Attack - Toyota Germany is notifying customers that their personal information was compromised in a ransomware attack last month. Initially disclosed in mid-November, the incident impacted the systems of Toyota Financial Services Europe & Africa, a subsidiary ...
9 months ago Securityweek.com
Toyota Germany Says Customer Data Stolen in Ransomware Attack - Toyota Germany is notifying customers that their personal information was compromised in a ransomware attack last month. Initially disclosed in mid-November, the incident impacted the systems of Toyota Financial Services Europe & Africa, a subsidiary ...
9 months ago Packetstormsecurity.com
Texas Retina Associates Notifies Nearly 300k People of Recent Data Breach - On June 26, 2024, Texas Retina Associates filed a notice of data breach with the Attorney General of Texas after discovering that confidential information that had been entrusted to the company was subject to unauthorized access. In this notice, ...
3 months ago Jdsupra.com
Keenan & Associates Reports Data Breach Exposing Social Security Numbers of More Than 1.5M - PRESS RELEASE. MARLTON, N.J., Jan. 29, 2024 /PRNewswire/ - Approximately 1.5 million consumers are being notified that their Social Security numbers and other confidential information were compromised when an unauthorized party was able to access the ...
8 months ago Darkreading.com
Toyota Data Breach Compromises Customer`s Financial Data - Toyota Financial Services reveals that hackers stole their customers' sensitive data in the last cyberattack. In November 2023, the Medusa threat group claimed the Toyota data breach and asked for a $8,000,000 ransom. The company did not seem to ...
9 months ago Heimdalsecurity.com
Major Database Security Threats and How to Prevent Them | Tripwire - Cybercriminals can also attempt to seize control of the organization’s data management system, altering privileges so they can gain database access at any time. Data loss prevention (DLP) solutions can do a lot to prevent occurrences like ...
1 week ago Tripwire.com
Database Security - In today's rapidly evolving digital landscape, marked by the ascendancy of Artificial Intelligence and the ubiquity of cloud computing, the importance of database security has never been more pronounced. Effective database security strategies not ...
8 months ago Feeds.dzone.com
Gaining Access to Toyotas Supplier Network Through Vulnerability - A security researcher, Eaton Zveare, identified a major security flaw in Toyota's Global Supplier Preparation Information Management System (GSPIMS) web portal. This portal provides Toyota employees and suppliers with access to ongoing projects, ...
1 year ago Securityweek.com
Top 7 Database Security Best Practices - Whether you're managing sensitive customer information or intricate analytics, database security should be at the top of your priority list. This article dives deep into the top 7 database security best practices that will help you fortify your ...
4 months ago Securityboulevard.com
Building a Sustainable Data Ecosystem - Finally, I outline future research and policy refinement directions, advocating for a collaborative and responsible approach to building a sustainable data ecosystem in generative AI. In recent years, generative AI has emerged as a transformative ...
6 months ago Feeds.dzone.com
Data Protection in Educational Institutions - This article delves into the significance of data protection in educational institutions, emphasizing three key areas: the types of educational data, data privacy regulations, and data protection measures. Lastly, robust data protection measures are ...
9 months ago Securityzap.com
Assessing and mitigating cybersecurity risks lurking in your supply chain - Most involve the supply of software and digital services, or at least are reliant in some way on online interactions. SMBs in particular may not proactively be looking, or have the resources, to manage security in their supply chains. Blindly ...
8 months ago Welivesecurity.com
Data De-Identification: Balancing Privacy, Efficacy & Cybersecurity - COMMENTARY. Global data privacy laws were created to address growing consumer concerns about individual privacy. These laws include several best practices for businesses about storing and using consumers' personal data so that the exposure of ...
10 months ago Darkreading.com
ID Theft Service Resold Access to USInfoSearch Data - One of the cybercrime underground's more active sellers of Social Security numbers, background and credit reports has been pulling data from hacked accounts at the U.S. consumer data broker USinfoSearch, KrebsOnSecurity has learned. Since at least ...
10 months ago Krebsonsecurity.com
Data Classification: Your 5 Minute Guide - Data classification has become a vital component of data security governance. With the rise of virtual data networks, organizations must take necessary measures to protect and secure confidential information. Data classification is the process of ...
1 year ago Tripwire.com
Decoding the data dilemma: Strategies for effective data deletion in the age of AI - Businesses today have a tremendous opportunity to use data in new ways, but they must also look at what data they keep and how they use it to avoid potential legal issues. Forrester predicts a doubling of unstructured data in 2024, driven in part by ...
6 months ago Venturebeat.com
Aim for a modern data security approach - Risk, compliance, governance, and security professionals are finally realizing the importance of subjecting sensitive workloads to robust data governance and protection the moment the data begins traversing the data pipeline. Why current data ...
10 months ago Helpnetsecurity.com
Strategies for Securing Student Data in Cloud Services - This article addresses the strategies that educational organizations can employ to ensure the protection and confidentiality of student data in cloud services. Implementing strong access controls is crucial for ensuring the security of student data ...
9 months ago Securityzap.com
Data Loss Prevention for Business: Strategies and Tools - Data Loss Prevention has become crucial in today's data-driven business landscape to protect sensitive information. This discussion aims to provide valuable insights into DLP strategies and tools for business, helping mitigate data loss risks ...
8 months ago Securityzap.com
When a Data Mesh Doesn't Make Sense - The data mesh is a thoughtful decentralized approach that facilitates the creation of domain-driven, self-service data products. Data mesh-including data mesh governance-requires the right mix of process, tooling, and internal resources to be ...
6 months ago Feeds.dzone.com
Console & Associates, P.C.: ESO Solutions Notifies 2.7M of Data Breach - PRESS RELEASE. MARLTON, N.J., Dec. 20, 2023 /PRNewswire/ - Approximately 2.7 million patients are being notified that their Social Security numbers and other confidential information were compromised when an unauthorized party gained access to ESO ...
9 months ago Darkreading.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)