Nissan North America has suffered a data breach in which the personal information of nearly 18,000 individuals was accessed by an unauthorized third party. The incident occurred on June 21st, 2022, but was not fully discovered until September 26th, 2022. Nissan had provided a third-party developer with the data in order to test its software.
The data was inadvertently exposed by the third-party service provider and stored in a cloud-based public repository. The exposed data included customer names, dates of birth and NMAC account numbers related to vehicle financing. Nissan claims there is no evidence that this data has been misused, but it could provide prospective fraudsters with a useful set of details with which to target customers in convincing phishing messages. Nissan has ensured that the third-party provider contained the threat by disabling all unauthorized access to the data, and has worked with external cybersecurity professionals to handle the incident.
This is not the first security scare for Nissan customers in the region. In 2017, Nissan Canada Finance revealed that over a million current and former customers may have had their details compromised in a data breach. In January 2021, poor password security exposed a 20GB trove of internal data stored on a Git server, including the source code of some of the firm's mobile apps.
Security experts shared their perspectives on what the attacks mean for the industry and how organizations can protect themselves from similar threats.
Gal Helemski, co-founder & CTO/CPO, PlainID
"In attacks such as this, identity is the solution for finding the adversary and eliminating it from systems. Organizations must adopt a “Zero Trust” approach, which means trusting no one – not even known users or devices – until they have been verified and validated. Access policies and dynamic authorizations are a crucial part of the zero-trust architecture, as they help to verify who is requesting access, the context of the request, and the risk of the access environment.
Instead of pouring more money into a shotgun approach to security, organizations need a more focused strategy oriented toward purchasing the highest reward tools. Identity and authorization are where the smart money should be going. If we assume hackers are already in the network, it makes sense to focus budgets on technologies that restrict movement inside the network."
Lorri Janssen-Anessi, Director, External Cyber Assessments at BlueVoyant
"Nissan’s reported supplier leaking thousands of customers’ data is another example of trusting a third-party with data when it is unclear as to the strength of their cybersecurity program. When organizations choose to share data or other information with a third party/supplier, they are relinquishing the care and secure handling of critical information to that other organization. It is imperative that organizations are vigilant in understanding how their data will be used, stored, and secured. If that information is not provided then decisions on sharing data or information should be strongly weighed against the risks in the possible event of a cyber breach. The best practices to prevent incidents like this is to know which suppliers are handling sensitive data, to continuously monitor third parties, and to work with them to remediate any security issues quickly." ###