Nissan North America has disclosed a third-party data breach that exposed the personal information of nearly 18,000 customers.
The automaker said it provided customer data for processing during software testing, but the third-party software development firm temporarily stored it on a public cloud.
Nissan is in the process of notifying affected customers and has taken additional steps to stop further access, protect victims from identity theft, and prevent future breaches.
Nissan’s third-party data breach led to data exfiltration
According to a data breach notification filed with the Office of the Maine Attorney General on January 16, 2023, the third-party data breach occurred on June 21, 2022, and was discovered on September 26, 2022.
The company began an investigation with external cyber experts and discovered that the third-party data breach resulted in unauthorized access or acquisition of data, including some personal information belonging to Nissan customers.
“Specifically, the data embedded within the code during software testing was unintentionally and temporarily stored in a cloud based public repository,” Nissan said.
Data exposed included full names, dates of birth, and NMAC account numbers of 17,998 customers in North America. However, the third-party data breach did not expose the victims’ Social Security Numbers or credit card information.
Nissan also confirmed that the contractor fixed the misconfigured public cloud repository to prevent further access and exfiltration. The automaker also worked with the vendor to address various security issues and prevent similar incidents from recurring.
“The increasing adoption of cloud data storage technologies, the proliferation of unknown or ‘shadow’ data that is not kept up to date by IT and security teams, the death of the traditional security perimeter and a faster rate of change for developers have all created a perfect storm known as the ‘innovation attack surface,’” said Amit Shaked, CEO and co-founder at Laminar.
Shaked advised organizations to adopt “agile cloud data security solutions” to maintain a real-time inventory of cloud data and alert when sensitive data is exposed. “Having the dual approach of visibility and protection can prevent damages when mistakes happen,” Shaked said.
According to Nissan’s investigation, no evidence suggests that threat actors have misused the stolen information. Nevertheless, Nissan is notifying the victims out of an abundance of caution. Additionally, the Franklin, Tennessee-based automaker is offering one year of complimentary identity theft protection with Experian.
Nissan did not disclose the identity of the third-party contractor responsible for the breach.
“In attacks such as this, identity is the solution for finding the adversary and eliminating it from systems,” said Gal Helemski, co-founder & CTO/CPO at PlainID. “Organizations must adopt a “Zero Trust” approach, which means trusting no one – not even known users or devices – until they have been verified and validated.
“Access policies and dynamic authorizations are a crucial part of the zero-trust architecture, as they help to verify who is requesting access, the context of the request, and the risk of the access environment,” advised Helemski.
Another automaker data breach
The third-party data breach occurred two years after another Nissan hack exposed over 20GB of data, including Git source code repositories, market research information, and client acquisition data. Unlike the current incident that Nissan attributes to a third-party contractor, Nissan used weak credentials such as admin for username and password to protect the accounts in the January 2021 data breach. Similarly, Nissan Canada Finance suffered a cyber attack in December 2017 that exposed the personal data of 1.13 million customers.
Another cyber incident on Toyota in October 2021 exposed the personal information of 296,019 customers after the automaker’s Git access keys were exposed for five years.
In January 2023, researchers also discovered 20 API vulnerabilities affecting 16 car manufacturers, including Mercedes-Benz, Ferrari, Porsche, Toyota, and Nissan. When exploited, the security flaws could allow threat actors to remotely control vehicles, access personal information, and take over user accounts.
The researchers discovered that the impacted automakers used control systems with similar functionalities, suggesting they relied on a handful of third-party vendors instead of developing their control software in-house. The researchers also suggested that the automotive industry lags in cybersecurity, putting customers’ data at risk.
Ani Chaudhuri, CEO at Dasera, believes that Nissan handled the incident diligently despite the data breach notification delay.
“Though Nissan allegedly took six months to disclose the data breach to the affected parties, it is clear that they took the incident very seriously and moved quickly to contain the damage and protect the affected individuals,” Chaudhuri said. “We should work to appreciate the transparency and honesty with which they communicated the incident to the public, as any form of a data breach is extremely hard on a company due to potential damage to reputation, revenue, culture, etc.”