Share this article on:
Nissan Australia has revealed that the data breach it suffered late last year has affected over 100,000 people.
The incident was discovered on 5 December last year when the Australian wing of the Japanese car company detected unauthorised access by a “malicious third party” on its IT systems. The company immediately launched an investigation.
Now, in an update posted on its website, Nissan has said that roughly 100,000 people, including both customers and staff, had been affected and that it has begun the process of notifying them.
“We now know the list of affected individuals includes some of Nissan’s customers (including customers of our Mitsubishi, Renault, Skyline, Infiniti, LDV and RAM branded finance businesses), dealers, and some current and former employees,” it said.
“Nissan expects to formally notify approximately 100,000 individuals about the cyber breach over the coming weeks.”
Despite the massive number, Nissan expects that the number of people affected may shrink due to duplicate listings.
Nissan said the data stolen by the hackers includes Medicare cards, driver’s licenses, passports, tax file numbers, transaction statements, dates of birth, and salary information.
“Current estimates are that up to 10 per cent of individuals have had some form of government identification compromised,” it added.
“The data set includes approximately 4,000 Medicare cards, 7,500 driver’s licences, 220 passports, and 1,300 tax file numbers.
“The remaining 90 per cent of individuals being notified have had some other form of personal information impacted, including copies of loan-related transaction statements for loan accounts, employment or salary information, or general information such as dates of birth.”
While Nissan has not acknowledged the threat actor behind the breach, the attack was claimed by the Akira ransomware gang, which claimed to have stolen 100 gigabytes of data from the company.
“We’ve obtained 100GB of data of Nissan Australia,” the group wrote on 22 December.
“They seem not to be very interested in the data, so we will upload it for you within a few days. You will find docs with personal information of their employees in the archives and much other interested stuff like NDAs, projects, information about clients and partners etc.
“By the way, there is a notice on their website regarding investigation about possible personal information leakage, so we will confirm that with the data uploading.”
Akira is potentially set to have a big year of cyber crime in 2024, with the LockBit ransomware takedown earlier this year pushing skilled hackers towards the aforementioned threat group.