Hacker stealing data from laptop showing Nissan data breach

Nissan Oceania Data Breach Impacts 100,000 Individuals in Australia and New Zealand

Nissan Oceania is notifying 100,000 individuals that the December 2023 data breach exposed their personal information.

The New Zealand and Australia-based subsidiary of the Japanese automaker Nissan said it detected “unauthorized access” to its local IT servers on December 5, 2023. It responded by notifying law enforcement authorities, privacy regulators, and national cybersecurity centers.

The automaker also initiated a review of the cybersecurity incident involving government agencies and external cyber forensics experts to determine the scope and impacts.

Nissan data breach leaked sensitive information of 100K Aussies and Kiwis

The inquiry determined that the cybersecurity incident impacted Nissan’s customers and those of rival Nissan-operated financial businesses in Australia and New Zealand.

“Nissan expects to formally notify approximately 100,000 individuals about the cyber breach over the coming weeks,” the company said, adding that the estimated number could reduce after validation and duplication removal,” said the company. “This number might reduce as contact details are validated and duplicated names are removed from the list.”

Although the nature of the information leaked varied for each individual, it could include official identification details for a small subset of data breach victims and personal information for the majority.

“Current estimates are that up to 10% of individuals have had some form of government identification compromised. The data set includes approximately 4,000 Medicare cards, 7,500 driver’s licenses, 220 passports, and 1,300 tax file numbers,” the automaker said.

The remaining 90% of the victims “had some other form of personal information impacted; including copies of loan-related transaction statements for loan accounts, employment or salary information or general information such as dates of birth.”

Nissan Oceania promised to notify roughly 100,000 individuals of the data breach in the coming weeks, including customers of its Mitsubishi, Renault, Skyline, Infiniti, LDV, and RAM branded finance businesses.

While the whereabouts of the stolen information remains a mystery, Nissan Oceania has offered free identity theft and credit monitoring services for 12 months to protect data breach victims from fraud.

“It’s great to see that they are helping employees by providing them with free credit services, but what if companies implemented a proactive approach rather than reacting to cyberattacks? Key lessons learned from this attack underscore the vital role of proactive, intelligence-powered cybersecurity measures,” said Jess Parnell, CISO at Centripetal.

Meanwhile, the automa5ker has not attributed the data breach to any cyber actor. However, the Akira ransomware gang has claimed responsibility for the attack, saying it stole 100 GB of data, allegedly containing “NDAs, projects, [and] information about clients and partners, etc.”

Nissan Oceania has not disclosed the attack vector the suspected Akira ransomware gang exploited during the attack.

“It would be interesting to learn how the Akira ransomware group gained unauthorized access and what steps Nissan is taking to prevent it from happening again, at least using the same attack method,” said Roger Grimes, Data-Driven Defense Evangelist at KnowBe4. “Akira is fairly well-known for attacking using unpatched public-facing software. Was this the case in this instance? And if so, what steps is Nissan taking to prevent unpatched software from being exploited in the future?”

Since its first detection in May 2023, the Akira ransomware gang had victimized over 81 organizations by February 2024, especially US healthcare organizations, universities and colleges, and K12 schools. The group was recently attributed to the Stanford University ransomware attack that compromised information of 27,000 individuals.

Automakers targeted by cyber attacks

Besides Akira, other cybercriminals also frequently target vehicle manufacturers to steal sensitive personal information stored by their sales, financial, and service departments.

With their cybersecurity practices lagging behind technological advancements, automakers are also impacted by numerous cybersecurity vulnerabilities resulting in data breaches.

“Nissan is one of the most recognizable car manufacturers in the world, and it being hit by a ransomware attack is unfortunate, but not that surprising,” noted Corin Imai, Senior Security Advisor at DomainTools. “Huge name-brands are increasingly flooding the news as victims of cyber attacks and data breaches as ransomware gangs take advantage.”

In November 2023, Toyota reported a cyber attack affecting its European and African financial services divisions. In May 2023, Toyota reported a data leak from a cloud misconfiguration that exposed the vehicle data of 2 million car owners for over a decade.