Last week we heard about another massive data breach, this one through automobile maker Toyota, which exposed the information of 3.1 million customers. The incident occurred when hackers targeted Toyota subsidiaries including Lexus Koishikawa Sales, Lexus Nerima, Toyota Tokyo Sales Holdings, Toyota West Tokyo Corolla, Toyota Tokyo Corolla and Tokyo Tokyo Motor. The servers that were exposed held stored sales information including names, dates of birth and employment information.
While data breaches are unfortunately nothing new, this particular case resonates on a number of different levels. What can we learn from this latest data breach? Read on for our top four takeaways:
Some parent companies demand that their subsidiaries adhere to the same security policies. Other companies allow subsidiaries to establish their own security policies. Whichever is the case, it’s important to establish a minimum security baseline and to make sure that security accountability and responsibility are clearly communicated. Regularly sharing best practices and industry news between the subsidiary and the parent company will help enhance security for all groups.
Enterprise companies like Toyota can sometimes own hundreds of subsidiaries that operate in different locations and time zones. If a subsidiary suffers a cyberattack, the parent company’s brand can be tarnished as a result. This was the case with Toyota, which was breached though several of its subsidiaries based in Tokyo.
What can be done to prevent such incidents? It’s important for parent companies to effectively evaluate and monitor the cyber posture of its subsidiaries. This can be accomplished with an assessment of public digital assets, meaning performing reconnaissance much the way a hacker would. It should be combined with automated security assessments that ensure that the subsidiaries adhere to the agreed-upon standard.
Subsidiary breaches are not uncommon and can take place across every industry. Consider the following incidents:
With all of these cases, we see the same strategy: Subsidiaries—which can often have less security measures in place than their parent companies—are targeted by hackers as a way of accessing the larger company’s data.
The recent Toyota breach was actually the second one that the company suffered. The first took place just five weeks prior, in Australia.
Repeated attacks on the same company are also not unusual. Sony, for example, suffered numerous cyberattacks (including PlayStation and Sony Pictures), reportedly costing the company about $170 million. Repeated attacks indicate that vulnerabilities exist and have not been adequately addressed. Not surprisingly, hackers will exploit the opportunity accordingly.
Want to learn more about how to evaluate the security posture of your subsidiaries? Check out our data sheet now.