Toyota says it was hacked by ex-IT contractor, sensitive information stolen

Filed Under: Data loss, Featured, Law & order, Vulnerability

ToyotaToyota has accused an IT contractor that the car manufacturer fired just last week of breaking into its computer systems, and stealing sensitive information including trade secrets.

In a complaint filed at the US District Court in Lexington, Kentucky, the North American branch of the Toyota Motor company claimed that Ibrahimshah Shahulhameed illegally accessed one of its websites, after being dismissed from his contracting job on August 23rd.

Within hours of his dismissal, Shahulhameed is said to have logged into the toyotasupplier.com website without authorisation, and spent hours downloading proprietary plans for parts, designs and pricing information.

The website is used by Toyota's suppliers to exchange highly sensitive information with the company about current and future products.

Toyotasupplier website

Toyota claims that if the information were shared with competitors, or made public, "it would be highly damaging to Toyota, and its suppliers, causing immediate and irreparable damage."

Claims have also been made that Shahulhameed sabotaged software running on Toyota's computer systems, and caused computers to crash, reports Automotive News.

A restraining order has been placed on Shahulhameed, who is an Indian citizen, preventing him from leaving the United States, or disseminating the trade secrets.

What isn't clear, at this time, is whether Toyota are claiming that Shahulhameed accessed their computer systems by exploiting a vulnerability or whether they had simply not reset staff passwords that he may have had access to in his position as an IT contractor with the firm.

Toyota car

In the past, we've reported how disgruntled former employees have attempted to wreak revenge on their former companies by opening up systems to spammers, planting malware, replacing the CEO's presentation with porn, or even making axe-wielding threats.

The details in the Toyota case are currently unclear. But regardless of that, it's a timely reminder to all businesses to remember the importance of reviewing who has access to your systems, and to underline that changing passwords and resetting access rights is essential when a member of staff leaves the company.

People do, of course, leave jobs all the time and most of them would never dream of logging back in to their old place of work. But it only takes one bad apple to wreak havoc - so make sure your defences are in place, and that only authorised users can access your sensitive systems.

,

You might like

10 Responses to Toyota says it was hacked by ex-IT contractor, sensitive information stolen

  1. wrossmck · 596 days ago

    Raises many a "IT professional moral ethics" question! Whenever I've finished work for a company, I tell them they should change the passwords that I used to access their network. Not because i'll suddenly turn evil, but my computer could be compromised, and then they could be in turn.

    Little good it does, though.

    • Tania · 596 days ago

      SNAP - in fact I make a colleague delete my accounts in front of me so I can't be blamed for anything. I had an ex-boss who blamed everything he did wrong on whomever left last. C.Y.A lol.

      • joe djamasi · 596 days ago

        Really?
        How odd!
        Surely some sort pf process needs to be followed for account deletions.

  2. wrossmck · 596 days ago

    "good practice" is something that simply isn't practiced enough these days! *ALL* companies should read this.

  3. joe djamasi · 596 days ago

    We still need to hear Ibrahimshah Shahulhameed's side of the story

    • Nigel · 596 days ago

      I don't think that's the point of the article, which is focused on the security risk inherent in opening one's system to access by outsiders, especially those who leave under circumstances that might impel them to abuse the access that was entrusted to them.

      The article is careful to report that the complaint against Mr. Shahulhameed CLAIMS he abused that trust in various ways. In no case does the article assert that those claims are true. Of course, you're free to follow up on your own and determine what Mr. Shahulhameed has to say for himself.

      Meanwhile, the article stands as a timely reminder that sensible security management should include terminating the access privileges of those who no longer need them for legitimate purposes.

  4. Randy · 596 days ago

    "or made public, "it would be highly damaging to Toyota, and its suppliers, causing immediate and irreparable damage."
    Maybe inside information on run-away accelerators or other safety defects? I think I'll put off buying a Toyota for a while. "Made public" and " irreparable damage" are two huge red flags.

    • Laurence Marks · 596 days ago

      Not the runnaway acceleration. More likely the price-fixing on the instrument clusters.

    • Andrew Ludgate · 596 days ago

      "Made public" and "irreparable damage" are legal weasel terms meaning "we don't want our competitors to know what we're doing next, as we want to have the marketing advantage".

      This shouldn't have any effect (positive or negative) on the actual safety of the products they make; it just affects the ROI of their shareholders, who can sue the management team/board if they're suspected of acting negligently - such as not restraining the contractor when they find out about a data leak and system manipulation.

      Outside of the assumed lack of controls in place here, if the contractor did indeed access areas of the site using credentials he should not have had, I'm actually impressed with how fast Toyota isolated the issues and went public with the breach. Most companies don't gather that sort of telemetry for weeks, and it can be months before they go public (if they ever do).

      This is not only a reminder about access management, it is also a reminder about how having processes in place to deal with breach situations works well when they are implemented well.

  5. Tim · 568 days ago

    This makes me angry. Where I'm from the IT industry suffered in the 90s due to IT workers claiming expertise but were unable to deliver and thus caused damage to the businesses they worked for and in turn the general attitude towards IT workers that followed.
    Now with this kind of malarkey employers and clients are going to hesitate, view with suspicion and even decline to use our services.
    Trust is everything in our game.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.