Akira ransomware attack on Nissan exposed personal information of 100,000 people

The attack occurred in December last year

On December 5, 2023, Nissan became the target of a major cybersecurity breach orchestrated by the Akira ransomware group. This malicious attack led to the unauthorized access and exposure of personal information belonging to approximately 100,000 individuals.

In the official Australian and New Zealand website update, Nissan wrote:^[1]

On 5 December 2023, a malicious third party obtained unauthorised access to our local IT servers. We took immediate action to contain the breach, and promptly alerted the relevant government authorities, including the Australian and New Zealand national cyber security centres and privacy regulators.

Although there was no confirmation at the time of a data breach, Nissan advised its customers to remain alert across all of their accounts and watch out for any potential scam efforts.

The breach not only disrupted the operations of Nissan Motor Corporation but also impacted Nissan Financial Services in Australia and New Zealand, underlining the extensive reach of this security lapse.

The compromised data was quite significant

The cyberattack perpetrated by the Akira cybercriminal group led to a substantial leak of sensitive information. An estimated 10% of the victims had crucial government identification details exposed.

This included the theft of approximately 4,000 Medicare cards, 7,500 driver's licenses, 220 passports, and 1,300 tax file numbers. Such information is highly sensitive, posing a significant risk of identity theft and fraud for the individuals affected.

The remaining 90% of affected individuals had other forms of personal information compromised. This ranged from loan-related transaction statements and detailed employment and salary information to basic personal identifiers like dates of birth. The breach extended beyond Nissan's direct customers to encompass employees and customers of affiliated finance services, including those associated with Mitsubishi, Renault, Skyline, Infiniti, LDV, and RAM brands.

Akira gang claims that all the data is available to download

Since March 2023, the Akira ransomware group has become a major cybersecurity problem – they previously attacked other major companies and institutions, including Stanford University.^[2]

They have publicly acknowledged that they are to blame for this data leak and boasted of stealing 100GB of data, which included a wide array of sensitive and confidential information.^[3]

The data set not only covered the personal information of employees and customers but also extended to include corporate files, non-disclosure agreements, project data, and information about clients and partners. Allegedly, following their refusal to meet the ransom demands, Akira made good on their threat by publishing the stolen files.

On their website, Akira claimed that all the stolen Nissan data could be downloaded for free, since “They seem to not be very interested in the data, so you can find their stuff here.”^[4]

Nissan keeps getting breached

In reaction to this cybersecurity crisis, Nissan made an effort to mitigate the impact on affected individuals. The company will be notifying impacted parties, and providing them with complimentary identity theft protection and credit monitoring services. Affected individuals in Australia and New Zealand, for instance, have been offered 12 months of free credit monitoring through Equifax and Centrix, respectively.

Additionally, Nissan has facilitated access to IDCARE's protective services to help secure the stolen data against misuse. Recognizing the financial burden of replacing compromised government IDs, Nissan has also committed to reimbursing those costs for affected individuals.

This is obviously not the first data breach the car manufacturer has suffered from, and it keeps being breached continuously. In late 2022, Nissan North America suffered from a data breach caused by a third-party vendor, resulting in data exposure of 18,000 users.^[5]

In early 2021, 20 GB of data went public due to the Git server being exposed online with default credentials. It comprised the source code for apps and internal tools, as well as marketing statistics on customer acquisition.