The incident took place in June 2022, but the full impact of it was only uncovered on September 26, 2022.
Nissan North America, Inc. experienced a data breach affecting roughly 18,000 customers on June 21, 2022, but the incident was not fully uncovered until September 26, 2022. This was revealed in a breach notification published by the Office of the Maine Attorney General.
This incident should not come as a surprise since in January 2021, Nissan exposed 20 GB worth of data assets belonging to Nissan North America. What’s worse, the automotive giant used “admin” as the username and password for the exposed repository.
In December 2017, Nissan’s operations in Canada were hit by a cyber attack in which personal data of 1.13 million Nissan Canada Finance were compromised.
As for the recent data exposure, the incident took place because personal information belonging to thousands of Nissan customers was provided to a third-party developer for software testing.
However, they ended up temporarily storing the data in a cloud-based public repository. On 21st June, Nissan was informed that this data had been inadvertently exposed by the services provider.
“During our investigation, on 26th September 2022, we determined that this incident likely resulted in unauthorized access or acquisition of our data, including some personal information belonging to Nissan customers. Specifically, the data embedded within the code during software testing was unintentionally and temporarily stored in a cloud-based public repository.”
The exposed data included personal information such as names, birth dates, and NMAC account numbers related to vehicle financing. Nissan confirmed that the breach did not include Social Security numbers or credit card information.
“Upon learning of this issue, we immediately ensured that the third-party provider contained the threat by disabling all unauthorized access to the data, and we commenced a prompt and thorough investigation,” Nissan says.
“We worked with the third-party service provider to assure that it takes steps to prevent events like this in the future. As part of our investigation, we worked very closely with external cybersecurity professionals experienced in handling these types of complex security incidents.”
Despite no evidence of the exposed data being misused, the possibility of it being shared online on hacker forums cannot be ruled out. Large amounts of personal information allow hackers to target customers with convincing phishing messages and elicit more information.