Toyota Breach-Aftermath of Data Breach Catastrophe

A couple of months ago, Toyota, the leading manufacturer in the automobile industry, was dealing with an augmenting catastrophe. It was distressing to hear that a company with such an amplitude of resources in diverse fields was heisted of its crucial information. Over a mere period of six months, it fell victim to a series of data breaches in Australia, Thailand, Vietnam and Japan. Toyota itself affirmed the data breach on its official website on 29th March 2019. In this breach, unethical hackers exploited over 3.1 million people's sensitive data. After a deep-dive into the scenario, the officials concluded that the violation was an outcome of unauthorized access to a server connected to the company's network.

It was a sign of relief for everyone when the organization announced that no customer credit card information was disclosed. However, Toyota notified that personal information exposed through unauthorized access included name, birth date and employment information. In a manner, the breach did stir up with the parts supplies process, thus resulting in delays at the service brand centre. The Toyota Motor North America (TMNA) ministered the situation, and thus reassured that data breach in no manner affected the customers in the United States.

Commencing in Japan, the cyberattack was strategically organized at eight different Toyota sales subsidiaries or their affiliates, including independent Toyota and Lexus car dealerships in Tokyo. Affected units by third party hackers included Toyota Tokyo Sales Holdings, Toyota Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla, Nets Toyota Tokyo, Lexus Koishikawa Sales, Jamil Shoji (Lexus Nerima), and Toyota West Tokyo Corolla. Amidst all these events, Toyota took a considerable approach. Not only did they publicly apologized to the masses, but also assured their diligence about implementing end to end information security measures at dealers and entire Toyota group.

Be it Toyota data breach or other thousands of data breaches that happen every year around the globe, all of them are directly or indirectly linked to the vulnerabilities within their IT Infrastructure. So this brings us to next question  What are Vulnerabilities ?

The simplest definition states that “The quality or state of being exposed to the possibility of being attacked or harmed“. Vulnerabilities are weakness of IT infrastructure which can be oppressed by attackers granting them access to your database or take control over your system. Let’s get familiar with some of the most common vulnerabilities :

- Security Misconfiguration  - Security misconfiguration vulnerabilities could occur if a particular element within an IT environment is liable to an attack due to insecure security misconfigurations. Security misconfiguration can take place at any level of the application stack, including multiple components like app platform, web server & application server, framework, and custom code.

Example: Unintentional installation of app server admin console and failure of its deportation.

- SQL injection  - This is a code injection technique which spotlights the databases of organization. This type of attack is initiated by releasing a sophisticated and malicious SQL statement as an input to the system. Attackers use SQL injection vulnerabilities to bypass the in place installed security measures, thus achieving their cybercrime goal.

Example: UNION operator is most vividly used SQL injection technique. This facilitates the attacker to initiate the output of more than 2 SQL statement in one single code.

- Buffer overflow attack  -Every database has a transitory area of data storage within its scope which is termed as a buffer area. When an attacker gives input to program in such a manner that data limit is outreached in the buffer area, which results in exploitation of system, it is termed as buffer overflow attack

EX: Heap-based buffer overflow attack is a sophisticated attack which aims at exploiting the buffer area reserved for a program itself, thus resulting in the crashing of program.

- Remote Code Execution  - In remote code execution, the attacker shoots out commands or codes remotely into a system which is physically or geographically inaccessible. This gives liberty to the attacker to intrude remote IT infrastructure and make undesirable modifications.

EX: CVE-2018-8248 vulnerability, also known as Microsoft Excel Remote Code Execution Vulnerability, allows an attacker to run malware on the vulnerable computer.

- SMB -  Server Message Block  protocol is a connection between the client and the remote server. It facilitates a platform where the client can get access to files, printers, serial ports and other resources on a network. Over here, the attackers use the unpatched system to get access to the infrastructure in a multitude of possibilities.

Example: Eternal Blue is a common SMB vulnerability where the attacker execute arbitrary code on the victim machine, as the SMB version 1 is incapable of handling specially crafted packets from remote attackers.

- Local file inclusion  – It gives the attacker the freedom to encompass files on the server via a web browser. This kind of vulnerability comes into the picture when a web application includes a file without verifying the input which allows the attacker to manipulate the input data and rephrase it according to their own convenience.

Example: The attacker can see the content of a sensitive file by replacing contact.php with the path of confidential data. This type of LFI arises when the developer fails to implement appropriate filtering at parsing component of a language interpreter.

- Remote file exclusion  - In this vulnerability, the webserver is intruded through a script, including a remote host file. The remote host file then intrudes the system producing changes as per the attacker's will. These types of attack generally happen at PHP running websites. In this technique, the attacker can execute code hosted on his machine and get unauthorized access within the victim machine

Example: Custom code infamous C99 is a malicious script used by the attacker for PHP based RFI vulnerability.

As every disaster has an underlying truth and a lesson within itself, this breach also taught us that every organization should be diligent about their cybersecurity controls and measures. We learnt that basic security controls are not sufficient to protect your organization from modernistic cyberattacks. Hence, additional layers of security controls are fundamentals of robust hardwired secure IT infrastructure. The organizations should execute physical, logical and administrative controls to linearize organization safety on a tenacious path. How organizations can pursue such up to date security is by obliging to global standards as such PCI DSS, PA DSS, PCI 3DS, ISMS, GDPR, SOC (1, 2 & 3) and HIPAA etc.