Toyota recently confirmed a data breach originating from a third-party entity, exposing sensitive information on both customers and employees. The breach, attributed to the threat actor ZeroSevenGroup, compromised 240GB of data. This data included contact details, financial documents, and even network credentials. This breach highlights the vulnerabilities in supply chain security, especially as attackers exploited weak points in a third-party service.
Unfortunately, this type of news isn't going to stop anytime soon. For those that have yet to be impacted by a security incident from a third-party vendor they work with, sadly it's only a matter of time. I don't say that lightly either. If you're reading this, there's a high likelihood you've been in the security business for some time. You also, most likely, operate by the assumption “it's not a matter of if, but when”.
What's most troubling about Toyota's security incident, and others like it, is this third-party probably had a properly configured API and secret (token) in order to connect into Toyota's systems. But this traffic doesn't route through the same security controls as traditional HTTP traffic. The connection was authenticated and legitimate so the data that was exfiltrated looked normal.
I have to make some assumptions here, but my guess is Toyota didn't have controls monitoring the traffic volume, or destination IP of that "legitimate" traffic. Even with a WAF or API gateway it's not guaranteed that this would have been recognized as malicious. Placing proper controls on the API and monitoring the activity of the secret(s) being used would have helped Toyota detect this anomalous behavior quicker leading to more expedient mitigation or proper resolution.
At Vorlon, this type of security is what we specialize in. We observe and monitor third-party applications and analyze the data they share for anomalous behavior. We're an early stage start-up with an innovative product that helps companies proactively manage their third-party landscape.