Nissan has confirmed that the cyber attack on its North American subsidiary resulted in a data breach impacting over 53,000 current and former employees.
The disclosure follows a multi-month investigation into the “targeted cyber attack” discovered on November 7, 2023, involving third-party cyber forensics experts and law enforcement.
Nissan North America (NNA) had initially assessed that the attacker stole corporate information devoid of personal information.
Nissan North America data breach leaked employees’ personal information
Nissan had determined that the threat actor exploited an external virtual private network (VPN), exfiltrated data from local network shares, shut down certain non-production systems, and demanded a ransom without encrypting devices.
“This attacker most likely used this tactic to potentially avoid detection that the encryption process would trigger and/or believed the systems could be restored quickly,” said Narayana Pappu, CEO at Zendata. “This is a fairly common tactic that we have seen used in Maze, NetWalker, and Clop ransomwares. The main leverage the attacker has on the company in this incident is the threat to release the data to public forums.”
On February 28, 2024, NNA determined that the threat actor also obtained personal information contrary to its previous assessment that had ruled out PII.
“Nissan has been reviewing the compromised data and recently discovered files containing certain personal information of our employees,” the automaker said in written data breach notification letters sent to the impacted victims on May 15, 2024.
According to a regulatory filing with the Office of the Maine Attorney General, the Nissan data breach leaked the names, Social Security Numbers, and other personal identifiers of 53,038 individuals.
However, no financial details, such as credit card or bank account information, were included in the documents that Nissan believes were “accessed, viewed, or removed.”
Over six months into the data breach, Nissan has no evidence that the threat actor has misused the stolen employee information. The automaker also believes the stolen employee data was not the threat actor’s primary target.
“At this time, we have no indication that any information has been misused or was the intended target of the unauthorized actor,” said the company.
Meanwhile, victims will benefit from Experian’s IdentityWorks ID theft protection services for 24 months to protect them from fraud “out of an abundance of caution,” the company said.
The Japanese carmaker has also taken additional steps to eject the threat actor and secure its infrastructure from future cyber attacks.
“Since the attack, NNA has taken several steps to strengthen its security environment, including an enterprise-wide password reset, implementation of Carbon Black monitoring on all compatible systems, vulnerability scans, and other actions to address unauthorized access,” the company said.
Nissan will also review its security processes and procedures for possible additional actions to protect personal information from unauthorized access.
Nissan hit with security incidents in the past year
The North American security incident is hardly Nissan’s first rodeo in the world of data breaches. In December 2023, Nissan Oceania suffered a significant data breach that leaked the personal information of 100,000 people in New Zealand and Australia.
The December 2023 Nissan Oceania data breach impacted current and former employees, dealers, and clients, including Mitsubishi, Renault, Skyline, Infiniti, LDV, and RAM-branded finance businesses. At least 10% of the victims had some form of government identification documents compromised.
The ransomware attack affected Nissan Motor Corporation and Nissan Financial Services and was later claimed by the Akira ransomware gang. According to a recent joint cybersecurity advisory by the FBI, CISA, EC3, and NCSC-NL, the prolific cybercrime group earned $42 million in 2023 after targeting over 250 businesses and critical organizations.
“When it comes to ransomware, or any other cyber threat vector, the best offense is a good defense,” said Darren Guccione, CEO and Co-Founder at Keeper Security. “A cybersecurity strategy and prudent investment are essential to prevent or mitigate the impacts of these types of cyber attacks, because no organization is immune.”
