Data breach at Nissan North America exposes information of 53k employees

The data of current and former employees was leaked as a result of a ransomware attack last year

In November 2023, Nissan North America (NNA) experienced a significant data breach. The breach involved a cyberattack on the company's external Virtual Private Network (VPN), resulting in the exposure of personal information belonging to over 53,000 current and former employees, as became clear from the letter from the company on May 15.^[1] The attackers targeted NNA's systems and demanded a ransom, although it is unclear whether Nissan paid it.

Upon discovering the breach on November 7, 2023, Nissan promptly notified law enforcement and began an immediate investigation. The company worked closely with external cybersecurity experts to contain and terminate the threat. The breach was publicly disclosed in a Town Hall meeting on December 5, 2023, where employees were informed about the potential exposure of their personal information.

Full names and Social Security Numbers compromised

The investigation revealed that the hackers accessed files on local and network shares containing business information and personal data. Specifically, the breach exposed the names and Social Security numbers of the affected employees. However, no financial information was compromised.

Nissan North America reported the breach to the Office of the Maine Attorney General and other state officials. On February 28, 2024, the company identified the specific personal information that was exposed. To mitigate the risk of identity theft, Nissan is offering 24 months of free credit monitoring and identity theft protection services through Experian to the impacted individuals.

Enhancing cybersecurity measures

Nissan North America took several steps to enhance its cybersecurity measures. These steps included an enterprise-wide password reset, the implementation of Carbon Black monitoring on all compatible systems, and regular vulnerability scans. Additionally, the company is reinforcing its access control policies and exploring further security measures to prevent future incidents.

Cybersecurity experts have noted that such “smash and grab” attacks are becoming more common. These attacks involve quickly accessing and stealing data before detection. Experts recommend measures such as microsegmentation, endpoint detection, and adherence to the 3-2-1 backup rule to improve security and response times.

This is not the first time the Japanese car maker was hit by a cyberattack. In January 2023, NNA's third-party technology service provider exploded the data of almost 18,000 customers. At the end of that year, Nissan Oceania announced that it was looking into a data breach, which later turned out to be from the Akira ransomware gang, resulting in a data breach of 100,000 Nissan customers.^[2]

Some experts praise Nissan's response

The data breach at Nissan North America is part of a broader trend of increasing ransomware attacks targeting large corporations in recent years. Ransomware attacks involve cybercriminals disabling a target's computer systems or stealing data and then demanding payment to restore service. These attacks are becoming more sophisticated, often involving tactics such as obtaining employee passwords or multi-factor authentication codes to gain access to secure systems.

Experts like Venky Raju from ColorTokens highlight that these “smash and grab” tactics rely on speed and the ability to move laterally within networks.^[3] Implementing microsegmentation can significantly slow down attackers, giving security teams valuable time to detect and respond to threats. Similarly, Narayana Pappu from Zendata recommends robust access control lists, endpoint detection and response solutions, and maintaining backups as part of a comprehensive security strategy.

Erich Kron from KnowBe4 emphasizes the importance of continuous monitoring and timely reporting.^[4] By swiftly notifying law enforcement and affected individuals, Nissan has taken important steps to address the breach. Organizations can learn from Nissan’s response by ensuring they have incident response plans in place, conducting regular security audits, and educating employees about cybersecurity best practices.