Nissan North America has confirmed a significant data breach affecting more than 53,000 current and former employees, following a targeted cyber-attack that was first discovered in November 2023. The breach, initially believed to involve only corporate information, was found to include personal data, according to a detailed investigation involving third-party cyber forensics experts and law enforcement.
The attack exploited an external virtual private network (VPN), allowing the hacker to access and exfiltrate data from local network shares. Despite shutting down certain non-production systems and demanding a ransom, the attackers did not encrypt devices, a tactic often used to evade detection and ensure rapid data restoration. This method aligns with strategies seen in previous ransomware incidents involving Maze, NetWalker, and Clop.
On February 28, 2024, Nissan determined that the attackers had accessed files containing personal information, contradicting their initial assessment. Affected data includes names, Social Security Numbers, and other personal identifiers of 53,038 individuals. However, financial information such as credit card or bank account details was not compromised.
In response to the breach, Nissan has offered 24 months of Experian’s IdentityWorks ID theft protection services to the victims. Despite the breach, Nissan has no evidence suggesting the stolen information has been misused and believes the primary target of the attack was not employee data.
Nissan has implemented several security measures to prevent future attacks, including an enterprise-wide password reset, the deployment of Carbon Black monitoring across all compatible systems, and comprehensive vulnerability scans. The company is also reviewing its security protocols to enhance protection against unauthorized access.
This breach is part of a troubling pattern for Nissan, which faced another significant data breach in December 2023 affecting 100,000 individuals in New Zealand and Australia. This incident, involving the Akira ransomware gang, compromised personal information from employees, dealers, and clients of various affiliated brands.
