Nissan North America (Nissan) suffered a data breach last year when a threat actor targeted the company’s external VPN and shut down systems to receive a ransom.
The car maker discovered the breach in early November 2023 and discovered recently that the incident exposed personal data belonging to more than 53,000 current and former employees.
“As shared during the Nissan Town Hall meeting on December 5, 2023, Nissan learned on November 7, 2023, that it was the victim of a targeted cyberattack. Upon learning of the attack, Nissan promptly notified law enforcement and began taking immediate actions to investigate, contain, and successfully terminate the threat,” the company said in a notification to impacted individuals.
Nissan disclosed that the threat actor targeted its external VPN and then shut down certain company systems before asking for a ransom. The company notes that none of its systems were encrypted during the attack.
Working with external cybersecurity experts, the company was able to assess the situation, contain the incident, and terminate the threat.
The subsequent investigation revealed that the hacker had accessed some files on local and network shares that contained mostly business information.
However, on February 28 the company “identified certain personal information in the data primarily relating to current and former NNA [Nissan] employees including Social Security numbers.”
In a data breach notification to the Office of the Maine Attorney General, the company states that the exposed details included a personal identifier (e.g. name) and social security numbers, and that financial details were not present in the files accessed by the threat actor.
Nissan notes that it is not aware of the exposed data having been misused.
To mitigate the risk of this data exposure, though, Nissan enclosed instructions for letter recipients on how they can enroll in a free-of-charge 24-month credit monitoring and identity theft protection service through Experian.
Nissan has been the target of several security incidents over the past few years, which affected various divisions of the Japanese car manufacturer.
In early December 2023, Nissan Oceania (Australia and New Zealand) announced an investigation into a cyberattack and potential data breach. In March 2024, Nissan confirmed thaat Akira ransomware had stolen data belonging to 100,000 of its customers.
In January 2023, Nissan North America suffered an indirect breach when a third-party technology service provider exposed the data of 17,988 customers due to a poorly configured database.
Two years before, Nissan North America left an exposed Git server repository online using default (admin/admin) credentials, exposing 20 GB of source code for internal apps and tools.
Nissan reacted by pulling the repository offline only when it was notified by a researcher who spotted users sharing the source code via torrents.