In November 2023, Nissan North America fell victim to a cyberattack. The Nissan Data Breach affected the company’s external virtual private network (VPN) connection, enabling threat actors to access internal systems. Once inside, the attackers shut down some Nissan IT systems, in an effort to force the automaker to pay a ransom.
What Happened in the Nissan Data Breach?
Nissan first discovered the security incident in early November 2023. However, it was only recently revealed that the breach resulted in the theft of personal information on over 53,000 current and former Nissan employees.
The stolen data included names, Social Security numbers, dates of birth, pay information and medical records for certain individuals. Nissan is now offering all impacted employees free credit monitoring and identity theft protection services in response.
“As shared during the Nissan Town Hall meeting on December 5, 2023, Nissan learned on November 7, 2023, that it was the victim of a targeted cyberattack. Upon learning of the attack, Nissan promptly notified law enforcement and began taking immediate actions to investigate, contain, and successfully terminate the threat,”
The company said in a notification.
In a report on the November 2023 incident, Nissan revealed that the cyberattack began when threat actors targeted the automaker’s external virtual private network (VPN). After gaining entry through the VPN, the hackers proceeded to shut down certain Nissan information systems. They then demanded a ransom to restore access.
An important note from Nissan was that none of its impacted systems had encryption enabled at the time of the attack, making the stolen or blocked data more easily accessible to the criminals.
Working rapidly with outside cybersecurity experts, Nissan was able to assess the scope, contain the breach, and shut down the threat actors’ access. As part of its investigation and response, the company conducted detailed forensic analysis.
This analysis showed that the hackers had browsed files and data on local machines and network file shares within Nissan’s environment. Primarily, the accessed information consisted of business documents and other corporate materials, rather than personal or sensitive data.
Nissan North America Data Breach Also Exposed Social Security Numbers of Employees
However, in late February 2024, Nissan announced it had identified personal information relating to current and former employees during a follow-up forensic analysis. The exposed data included Social Security numbers for many individuals.
This suggests the hackers may have had greater access to Nissan’s network than initially realized. While the incident was contained in November, the subsequent discovery of impacted personal records highlighted the importance of thorough investigatory work.
Nissan is now offering services like credit monitoring to the over 53,000 employees impacted. The revelation demonstrates the need for all organizations to carefully review incidents for any missed personal data exposures.
The subsequent investigation revealed that the hacker had accessed some files on local and network shares that contained mostly business information.
Notification of the Ransomware Attack on Nissan Was Filed in the Office of the Maine Attorney General
In its data breach notification filed with the Office of the Maine Attorney General, Nissan provided more information on the personal data exposed in the February 2024 discovery. The company stated the files accessed by the hackers contained a personal identifier like a name coupled with social security numbers for affected individuals. However, financial details were not present.
While Nissan is not aware of any misuse of the exposed data to date, the automaker is taking steps to help mitigate risks for those impacted. In the notification letter, Nissan enclosed instructions for enrolling in a free 24-month credit monitoring and identity protection service through Experian.
This service aims to safeguard the over 53,000 current and former employees whose personal information including names and SSNs was accessible to the threat actors during last year’s cyber incident.
Nissan Has Faced Multiple Data Breaches in The Past
Here are the key details from the multiple security incidents affecting Nissan over the past few years:
- In December 2023, Nissan Oceania (Australia/New Zealand) announced an investigation into a potential cyberattack and data breach.
- In March 2024, Nissan confirmed the Akira ransomware had stolen data on 100,000 customers from an unknown Nissan division.
- In January 2023, Nissan North America suffered an indirect breach when a third-party vendor exposed data on 17,988 customers in a misconfigured database.
- In January 2021, Nissan North America left an exposed Git server repository online for an unknown period using default credentials. This exposed 20GB of internal application source code. Nissan only pulled the repository when notified by a researcher who found the source code being shared online.
The string of incidents, some directly impacting Nissan and others indirect due to partners, shows the auto giant can benefit from improved security practices, vendor oversight, and swift response to reduce future risk and impact.