The Japanese auto company Nissan has sent out breach notification letters to thousands of customers to inform them of a leak of personal information (pii) through a third-party vendor. The car company said it was notified on 21 June 2022 that names, dates of birth, and account numbers for Nissan Motor Acceptance Corporation, an indirect lender that helps people finance or lease Nissan vehicles, were exposed after it provided the customer information to an unnamed third party “for software testing.”
Nissan’s breach notification letter, which was sent to 17,998 people, does not say when the data was exposed nor for how long.[1] “During our investigation, on September 26, 2022, we determined that this incident likely resulted in unauthorized access or acquisition of our data, including some personal information belonging to Nissan customers. Specifically, the data embedded within the code during software testing was unintentionally and temporarily stored in a cloud-based public repository,” the company said. Nissan said it was providing victims with a one-year membership for Experian IdentityWorksSM Credit 3B, a service that helps detect possible misuse of personal information.
**See what Proton is doing to help auto dealers: (TR-23-003-001)
A spokesperson for Nissan explained that the third-party vendor “inadvertently placed some customer data in an unsecured, cloud-based storage location. At this time, we believe the risk is low, but, out of an abundance of caution, we are offering these consumers one year of credit monitoring services at no cost,” the spokesperson said. The company did not answer questions about whether the information leaked was enough for cybercriminals to impersonate someone within Nissan’s customer finance portal.
KnowBe4 said the incident was a prime example of why companies need to outline cybersecurity standards in contractual agreements signed with third parties tasked with handling sensitive customer data. “Nissan provided the information in good faith to an organization contracted to do testing, however that organization failed to properly secure the data. While it’s often not an easy sell to get a contractor to allow you to audit their systems, the history of data breaches caused by this type of mishandling is a strong argument toward being able to do that,” they explained. “Any organization that handles your data needs to be held to a standard of protection at or above your own. An unfortunate part of these types of issues is that Nissan will be associated with the breach, however the third party will likely go unremembered.”
Data from car companies and car insurance providers has been in high demand among cybercriminals, with multiple threat actors and groups leaking stolen data on the dark web in recent weeks.
Car insurance data stolen from nearly 800,000 Japanese customers of Zurich Insurance showed up on a cybercriminal forum last week among several other posts containing vehicle related information.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://therecord.media/thousands-of-nissan-customers-affected-by-data-breach-through-third-party-vendor/
Comments