Nissan's third-party service provider exposes customers' personal data

A third-party vendor accidentally allowed unauthorized access to Nissan's customer data

Nissan, one of the largest Japanese multinational automobile manufacturers, has suffered a data breach. Nissan North America has begun sending out notifications to the users who have been affected by the incident. They informed that a third-party service provider specializing in software development the company was using had exposed their personal data.

In mid-January this year, the Office of Maine Attorney General received notification about a security breach from Nissan North America that took place on June 21 and was discovered five days later. The notifications about the data breach were sent out to the affected users on December 2022. It is described as an “Inadvertent disclosure, Insider wrongdoing” data breach.^[1]

Following the breach, Nissan immediately identified and quelled the threat from a third-party provider. Further, an investigation was launched to ensure similar events will not happen in future operations. To guarantee this assurance of security, they worked with the said provider to design more stringent protocols going forward.

This new technology adaptation with cars becomes an issue of cybersecurity in many ways. Cybersecurity vulnerabilities in the application programming interfaces (APIs) of nearly 20 car manufacturers and transport service providers could have allowed hackers to carry out malicious activities. Millions of cars can be affected, and this means that criminals could have carried out everything from unlocking, starting and tracking the location of cars to exposing customers' personal information.

Almost 18 thousand users affected

Following the investigation that concluded on September 26, Nissan determined its systems had been breached, and some customer data, among company private data, had been acquired or accessed without authorization.

According to the information posted on the Maine Attorney General's website, the total number of affected individuals is 17998. Information that was accessed included personal details such as name, date of birth, and NMAC account number. NMAC is a Nissan Motor Acceptance Company Finance Account Manager app that allows customers to manage their accounts at any time.

While these details are personal, Nissan notified that the compromise of sensitive information did not occur, and data such as credit card information or Social Security Number was not exposed during the breach.

The notification template sent out to customers by Nissan North America was published online^[2] and provided more insights into the data breach. According to the message, the data stored in the code at the time of software testing by the third-party provider was temporarily placed on the publicly-accessible cloud storage repository.

Nissan offers some assurance, but it is not the first time it has suffered from data protection issues

In the notification sent to the customers, Nissan assures users that no sensitive details in its possession have been accessed and that there is no indication, as of now, that the compromised details were misused in any way. The statement loses a lot of merits when considering that a lot of information accessed illegally was later leaked online.

For example, Twitter user data was stolen via one of the vulnerability in one of the APIs last year, and it later became clear that another 1.4 million social media profiles were exposed.^[3]

Nissan itself has previously suffered from security incidents. In early 2021, 20 GB of data was leaked due to Git server exposure online with default credentials.^[4] It contained the source code of apps and internal tools, marketing data about client acquisition, and more.

Just in October 2022, a data breach hit Toyota,^[5] where the personal information of almost 300 thousand customers was exposed online because the GitHub repository with access keys to databases was left open.

Despite the lack of evidence that any of the illegally accessed information could be misused, the company offered all the affected users one-year membership of Experian IdentityWorksSM Credit 3B, which should provide cover for identity theft cases. Those who want to enroll will have to activate the membership.