Toyota's Customer 360 customer relationship management platform has a severe security flaw enabling access to the automaker's Mexican customers' personal data, according to SecurityWeek.
After evading the CRM platform's authentication by altering Angular JavaScript code on the development/testing apps, security researcher Eaton Zveare was able to locate exposed API endpoints and modify the development app to leverage production API, allowing access to customer data, including their names, phone numbers, home and email addresses, tax IDs, vehicle history, and purchase and service data.
"The production and QA API endpoints use Amazon API Gateway and probably would have been impossible to find if they weren't included in the dev apps code. With the login bypass and API change in place, it was possible to access production data," said Zveare.
Such an issue has been resolved by Toyota three weeks after being notified by Zveare on Oct. 30. The report comes a month after Toyota's global supplier management network web portal was exposed by Zveare to allow data tampering and exfiltration.
Ontario's perinatal, newborn, and child registry Better Outcomes Registry & Network had sensitive data from nearly 3.4 million individuals compromised in late May as a result of the widespread MOVEit hack conducted by the Cl0p ransomware operation, reports BleepingComputer.
Major U.S. consumer product leasing firm Progressive Leasing has disclosed that some of its systems have been impacted by a cyberattack that resulted in the significant compromise of personally identifiable information belonging to its customers and other individuals, according to The Record, a news site by cybersecurity firm Recorded Future.