Posted on January 17, 2023 at 4:13 PM
Nissan North America suffered a major data breach, and it is already alerting customers of the same. The breach happened at a third-party service provider, which led to customer information being exposed.
Nissan North America suffers a data breach
The company has already reported the security incident to the Office of the Attorney General of Maine. The report was made on January 16, 2023. In it, Nissan revealed that the breach had affected 17,998 customers.
In the notification that Nissan sent to its customers, the company claimed that one of its vendors who deal in software development alerted it of a data breach on June 21, 2022. The software development vendor shared the extent of the breach and the effects it had on Nissan customers.
Nissan had shared customer data with the third-party service provider to be used in creating and testing software solutions for the automaker. However, the shared customer data was exposed to threat actors as the vendor was vulnerable because of a poorly configured database.
After Nissan learned about this breach, the automaker said that it secured the exposed database. It further conducted an internal investigation to realize the full extent of the breach. This investigation revealed that on September 26 last year, an unauthorized individual had likely accessed the data. This showed that threat actors might have infiltrated the data and accessed the information of some customers.
The notice by the automaker notes that “during our investigation on September 26, 2022, we determined that this incident likely resulted in the unauthorized access or acquisition of our data, including some personal information belonging to Nissan customers.”
The automaker revealed that the exposed data was embedded within the code while testing the software being developed for the company by the vendor. The data was temporarily stored within a cloud-based public repository, which exposed it to a potential data breach.
The customer information stolen during the breach includes details such as the full names, dates of birth, and the account numbers of their Nissan finance account (NMAC). However, Nissan has clarified that the stolen information does not include more sensitive data such as social security numbers or credit card details.
Since the breach happened and Nissan conducted an investigation on the same, Nissan has said that it has not obtained any evidence showing that the customer information has been misused. This is despite signs that an unauthorized person had likely accessed the data. The automaker has also said that it has sent out notices to its customers urging them to remain vigilant in case the stolen data was used for other attacks, such as phishing campaigns.
Nissan also offers an incentive to the over 17,000 customers affected by the breach. The company has said that those that receive a notice of the breach will get a one-year membership of identity protection services. Experian will provide this service.
Data security incidents targeting automakers
Cybersecurity attacks have been rising across different industries, and the automotive sector has not been spared. The recent breach on a third-party vendor is not the only incident at Nissan North America.
The company also suffered from a similar security incident in January last year. The breach resulted in a Git server being exposed online. The server contained default access credentials, leading to several of the firm’s repositories being made public.
This was one of the largest breaches that Nissan North America has ever experienced, leading to the leak of 20GB of data. The leaked information includes the source code of mobile apps and internal tools, data on client acquisitions and market research, diagnostics, and the details of NissanConnect services.
Nissan is not the only automaker that suffered a breach last year. In October last year, Toyota also suffered from a similar breach. The breach led to the personal details of 296,019 customers being exposed online.
The exposure of a GitHub repository caused the breach on Toyota. The repository that contained access keys to Toyota’s databases was left open to the public for five years, and the threat actors exploited the vulnerability to steal information. Additionally, alongside other automakers, Nissan has been following poor API security practices on their mobile applications and online portals. This led to account takeovers and exposed customer information that could later be used to conduct other campaigns.