Share this article on:
Nissan North America has announced that a data breach it suffered last year resulted in the data of over 53,000 staff being exposed.
The attack, which occurred in November last year, came as the result of a threat actor targeting its external VPN and shutting down some of the company’s systems, which it then held for ransom.
Nissan also revealed that none of the systems were encrypted and that the threat actor had accessed a number of files containing what it determined was largely business data.
However, the car manufacturer discovered in February that the data accessed by the hacker included sensitive information belonging to current and former employees.
In a release sent to those affected, dated 15 May 2024, Nissan revealed that staff data had been compromised, adding that there is no evidence that it had been misused.
“Nissan has been reviewing the compromised data and recently discovered files containing certain personal information of our employees,” it said.
“At this time, we have no indication that any information has been misused or was the intended target of the unauthorised actor.”
In a notification to the Office of the Maine Attorney-General, Nissan said the data accessed includes personal identifiers such as names and social security numbers.
“The data accessed did not include any of your financial information,” Nissan said.
Following the breach, Nissan said it engaged cyber security experts to assist in reviewing its cyber standards and is bolstering its security protocols to prevent a repeat event.
“Although we are not aware of any instances of fraud or identity theft resulting from this incident, out of an abundance of caution, we are providing you, at no charge, with access to Experian’s IdentityWorks services,” Nissan said.
News of the Nissan North America attack comes months after Nissan Oceania revealed that an attack on its IT systems resulted in roughly 100,000 people being affected.
“We now know the list of affected individuals includes some of Nissan’s customers (including customers of our Mitsubishi, Renault, Skyline, Infiniti, LDV and RAM branded finance businesses), dealers, and some current and former employees,” it said.
“Nissan expects to formally notify approximately 100,000 individuals about the cyber breach over the coming weeks.”
Despite the massive number, Nissan expects that the number of people affected may shrink due to duplicate listings.
Nissan said the data stolen by the hackers includes Medicare cards, driver’s licenses, passports, tax file numbers, transaction statements, dates of birth, and salary information.
“Current estimates are that up to 10 per cent of individuals have had some form of government identification compromised,” it added.
“The data set includes approximately 4,000 Medicare cards, 7,500 driver’s licences, 220 passports, and 1,300 tax file numbers.
“The remaining 90 per cent of individuals being notified have had some other form of personal information impacted, including copies of loan-related transaction statements for loan accounts, employment or salary information, or general information such as dates of birth.”
While Nissan has not acknowledged the threat actor behind the breach, the attack was claimed by the Akira ransomware gang, which claimed to have stolen 100 gigabytes of data from the company.
“We’ve obtained 100GB of data of Nissan Australia,” the group wrote on 22 December.
“They seem not to be very interested in the data, so we will upload it for you within a few days. You will find docs with personal information of their employees in the archives and much other interested stuff like NDAs, projects, information about clients and partners etc.
“By the way, there is a notice on their website regarding investigation about possible personal information leakage, so we will confirm that with the data uploading.”