Security for Subsidiaries: 4 Lessons Learned From the Toyota Breach

Last week we heard about another massive data breach, this one through automobile maker Toyota, which exposed the information of 3.1 million customers. The incident occurred when hackers targeted Toyota subsidiaries including Lexus Koishikawa Sales, Lexus Nerima, Toyota Tokyo Sales Holdings, Toyota West Tokyo Corolla, Toyota Tokyo Corolla and Tokyo Tokyo Motor. The servers that were exposed held stored sales information including names, dates of birth and employment information.

While data breaches are unfortunately nothing new, this particular case resonates on a number of different levels. What can we learn from this latest data breach? Read on for our top four takeaways:

1. Companies must establish clear security policies with regards to their subsidiaries.

Some parent companies demand that their subsidiaries adhere to the same security policies. Other companies allow subsidiaries to establish their own security policies. Whichever is the case, it’s important to establish a minimum security baseline and to make sure that security accountability and responsibility are clearly communicated. Regularly sharing best practices and industry news between the subsidiary and the parent company will help enhance security for all groups.

2. A breach to a subsidiary is a breach to the parent company. 

Enterprise companies like Toyota can sometimes own hundreds of subsidiaries that operate in different locations and time zones. If a subsidiary suffers a cyberattack, the parent company’s brand can be tarnished as a result. This was the case with Toyota, which was breached though several of its subsidiaries based in Tokyo.

What can be done to prevent such incidents? It’s important for parent companies to effectively evaluate and monitor the cyber posture of its subsidiaries. This can be accomplished with an assessment of public digital assets, meaning performing reconnaissance much the way a hacker would. It should be combined with automated security assessments that ensure that the subsidiaries adhere to the agreed-upon standard.

3. Subsidiary breaches occur more and more.

Subsidiary breaches are not uncommon and can take place across every industry. Consider the following incidents:

• The personal health information of about 34,000 medical marijuana patients was accessed in a data breach through Sunniva Inc.’s Natural Health Services Ltd. subsidiary.
• Fortune 1000 company CNO Financial Group reported an instance of unauthorized access involving one of its subsidiaries, affecting over 500,000 people.
• Starwood Hotels & Resorts, a subsidiary of hospitality giant Marriott, recently suffered a major data breach, exposing the personal information of more than 500 million people.

With all of these cases, we see the same strategy: Subsidiaries—which can often have less security measures in place than their parent companies—are targeted by hackers as a way of accessing the larger company’s data.

4. A company can suffer a data breach more than once. 

The recent Toyota breach was actually the second one that the company suffered. The first took place just five weeks prior, in Australia.

Repeated attacks on the same company are also not unusual. Sony, for example, suffered numerous cyberattacks (including PlayStation and Sony Pictures), reportedly costing the company about $170 million. Repeated attacks indicate that vulnerabilities exist and have not been adequately addressed. Not surprisingly, hackers will exploit the opportunity accordingly.

Want to learn more about how to evaluate the security posture of your subsidiaries? Check out our data sheet now.