Nissan Oceania data breach impacted roughly 100,000 people

The ransomware attack that hit the systems of Nissan Oceania in December 2023 impacted roughly 100,000 individuals.

Nissan Oceania, the regional division of the multinational carmaker, announced in December 2023 that it had suffered a cyber attack and launched an investigation into the incident. Nissan immediately notified the Australian Cyber Security Centre and the New Zealand National Cyber Security Centre.

Nissan Oceania refers to the regional operations of the Nissan Motor Company in the Oceania region, which includes Australia and New Zealand.

Nissan, a Japanese multinational automaker, operates globally, and its regional divisions manage business activities in specific geographic areas.

“The Australian and New Zealand Nissan Corporation and Financial Services (“Nissan”) advises that its systems have been subject to a cyber incident. Nissan is working with its global incident response team and relevant stakeholders to investigate the extent of the incident and whether any personal information has been accessed.” reads the statement published by the company on its website.

The company did not share details about the attack or its scope, but a few weeks later the Akira ransomware group claimed to have stolen 100 GB of information from the company. Stolen data included corporate files and personal information

Nissan refused to pay the ransom and the cybercrime group published the alleged stolen files.

This week, Nissan Oceania announced that it started notifying the impacted individuals. 

The company added that the data breach impacted some Nissan customers, dealers, and current and former employees. The data breach also impacted the customers of Mitsubishi, Renault, Skyline, Infiniti, LDV and RAM branded finance businesses.

“Nissan expects to formally notify approximately 100,000 individuals about the cyber breach over the coming weeks. This number might reduce as contact details are validated and duplicated names are removed from the list.” reads the update published by the company. The type of information involved will be different for each person. Current estimates are that up to 10% of individuals have had some form of government identification compromised. The data set includes approximately 4,000 Medicare cards, 7,500 driver’s licenses, 220 passports and 1,300 tax file numbers. The remaining 90% of individuals being notified have had some other form of personal information impacted; including copies of loan-related transaction statements for loan accounts, employment or salary information or general information such as dates of birth.”

The company is offering free identity theft and credit monitoring services to the impacted individuals, it is also reimbursing those who need to replace their government ID due to the incident. 

In January 2021, a misconfigured Git server caused the leak of the source code of mobile apps and internal software used by Nissan North America. The software engineer Tillie Kottmann was informed by an anonymous source that the Git server was exposed online and accessible to anyone using the default login credentials admin/admin.

In December 2017, Nissan Finance Canada was hacked, personal information of 1.13 million customers may have been exposed as a result of a data breach discovered by the company on December 11 (The biz took 10 days to disclose the incident).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Nissan Oceania)

文 » A