Nissan Oceania Breached; 100K People Affected Down Under

A possible ransomware attack at Nissan has exposed personal information belonging to around 100,000 people in Australia and New Zealand.

The Japanese vehicle manufacturer has a troubled history with cyberattacks, dating back well over a decade. It has variously suffered a source code leak, a proof-of-concept exploit affecting its electric vehicles (EVs), and a data breach affecting more than 1 million customers.

Most recently, on Dec. 5, hackers obtained access to IT systems at Nissan's Oceania-region corporate and finance offices. The incident was rapidly addressed, the company wrote in an update on March 13, but not before the perpetrators exfiltrated significant amounts of sensitive data.

Dealers, some current and former employees, and customers of Renault-Nissan-Mitsubishi Alliance vehicles (which includes those three brands, as well as Infiniti and others) can expect formal notices of compromise in the coming weeks. Up to 10% of them have had at least one form of government ID stolen — 4,000 Medicare cards, 7,500 driver’s licenses, 220 passports, and 1,300 tax file numbers — and the remaining majority have lost other forms of personal information, such as copies of loan-related transaction statements, employment and salary information, and more general information like dates of birth.

Was It Ransomware?

Nissan hasn't revealed the nature or perpetrators of its attack. It's notable, though, that late last December the Akira ransomware gang claimed to have stolen 100GB of data from the company's Oceania division.

Dark Reading has reached out to Nissan Oceania for clarification on this point but has not yet received a reply.

"What's really surprising to me about this one is that they don't have data-at-rest encryption technology running," says Darren Williams, CEO and founder of BlackFog. "That's a common thing to do these days — you really should have all that personal data encrypted on drives, so even if the bad guys do get in, they're only getting encrypted data that they can't decrypt."

Besides encryption, he suggests, companies can protect against potential extortion attacks with anti-data exfiltration (ADX) tooling, "because if you're not watching the data leaving your building, then you don't know what's being lost until it's too late."

"Ninety-two percent of all attacks actually involve data exfiltration," Williams emphasizes. "That's how big the problem is."