Data breach at Nissan North America due to vendor-exposed data

Nissan North America began sending customers data breach notifications to inform them of any breach at a third party service provider.

The incident was first reported to the Office of the Maine attorney general on Monday January 16th 2023. that 17998 customers had been affected.

Nissan states in the notice sample that it was notified by one of its software vendors of a data breach on June 21st, 2022.

A third party received data about Nissan customers to test and develop software solutions. Unfortunately, the database was not properly configured.

Nissan launched an internal investigation after learning about the security breach. It confirmed that the data had been accessed by an unauthorised person on September 26th, 2022.

The notice .

“Specifically, data that was embedded in the code during testing software was not intended and stored temporarily in a public cloud repository.”

Full names and dates of birth are included in the exposed data (Nissan Finance account). The notice also clarifies that credit card information and Social Security numbers were not included in the disclosed data.

Nissan claims that it has not seen any evidence to suggest that this information was misused, and that the notices are being sent out out out of an abundance caution.

All recipients of breach notices will also be eligible for a 1-year Experian membership to identity protection services.

Problems from the past

Nissan North America was hit with a similar issue in January 2021. A Git server became public online using default credentials. This led to several repository becoming publicly available.

The leakage of 20GB of data resulted in the loss of mobile apps, internal tools source code and market research data.

Toyota was also hit by a data security breach in October 2022. In this incident, the personal information for were exposed.

This happened because a GitHub repository containing the access keys for company databases was open to public view for five years.

Additionally, Nissan and other auto companies were found to use practices in their online portals and mobile apps, possibly leading to account takeovers or sensitive information exposure.