Following a cyberattack in December 2023, Nissan confirms a data leak impacting customers, dealers, and employees. Information potentially compromised includes names, contact details, and even government-issued IDs for up to 10% of those affected. Nissan is notifying individuals and offering support services.
Nissan Motor Corporation’s Oceania region has confirmed a data breach impacting roughly 100,000 individuals. The breach, linked to a December 2023 cyberattack claimed by the Akira ransomware group, exposed the personal information of customers, dealers, and some current and former employees.
For your information, Nissan Motor Corporation and Nissan Financial Services in Australia and New Zealand were impacted by a cyberattack on December 5, 2023.
“On 5 December 2023, a malicious third party obtained unauthorised access to our local IT servers. We took immediate action to contain the breach, and promptly alerted the relevant government authorities, including the Australian and New Zealand national cyber security centres and privacy regulators” Nissan revealed in an update released on 13 March 2024.
Akira ransomware group claimed to have stolen 128 GB of information including corporate files and personal information. Other impacted businesses included Mitsubishi, Renault, Skyline, Infiniti, LDV, and RAM. Hackers then published files stolen from Nissan systems, indicating the company refused ransom demands.
Nissan detected the ‘disruptive incident’ the same month and notified customers but crucial details about data exfiltration weren’t confirmed until now. While the exact nature of the compromised data remains under investigation, Nissan acknowledges the possible leak of government-issued identification documents, names, and contact details. The company emphasizes that they are still validating contact information and removing duplicates, so the final number affected might be slightly lower.
Nissan Oceania has now started contacting the 100,000 affected individuals. The carmaker has reported that the type of information compromised in the breach might be different for each affected individual.
The company estimates that up to 10% of individuals may have had their government identification compromised, with the data set including 4,000 Medicare cards, 7,500 driver’s licenses, 220 passports, and 1,300 tax file numbers. The remaining 90% of the affectees Nissan is notifying have had other personal information impacted, including loan-related transaction statement copies, employment or salary information, and general information like dates of birth.
The company is providing support services to affected individuals and enhancing cybersecurity measures to prevent future incidents, while also offering free identity theft and credit services.
Nissan advises customers to remain vigilant and be cautious of any suspicious emails, calls, or text messages. They recommend monitoring financial statements for unauthorized activity and considering placing a fraud alert on their credit reports.
Experts Comments
Commenting on the news and providing insight, Erfan Shadabi, a cybersecurity expert at comforte AG said, “This data breach on Nissan demonstrates just how important it is for every organization to rethink data security. Nissan must now assess just how much sensitive information has been released.”
“Hopefully, they can navigate this situation effectively with minimal damage. The distressing fact is that ordinary individuals and users invariably find themselves at the mercy of organizations failing to fortify their data against potential breaches. The fallout from such incidents can range from identity theft to financial losses, leaving users vulnerable to a myriad of cyber threats,” Shadabi warned.
“The ironic thing is that enterprises can avoid the threat of leaked hijacked data simply by taking a data-centric approach to protecting sensitive information. Using tokenization or format-preserving encryption, businesses can obfuscate any sensitive data within their data ecosystem, rendering it incomprehensible no matter who has access to it. These reports should all be treated as cautionary tales, as any enterprise might find itself in the same boat without the proper data-centric approach,” he stressed.