Nissan confirms 100,000 customers affected by previous data breach by the Akira Ransomware group

30 Apr 2024, by Slade Baylis

As is unfortunately the new normal, each month it seems like there is news of another data breach of a major organisation.  Perhaps it could be related to the increasing use of AI in cyberattacks, or alternatively, it could just be a sign that cybercriminals are getting more sophisticated in their methods of attack. 

On this front, earlier this month Nissan revealed that the data breach they suffered back in December of last year, which was previously thought to have only affected less than 18,000 customers¹, has actually affected as many as 100,000 of their Australian and New Zealand customers².  This breach not only included personal information, but also some form of government ID in at least 10 percent of cases.

In this article, in order to help our readers protect their own systems, we’ll be discussing this breach.  Specifically, we'll cover what was stolen, how it occurred, and what you can do to prevent yourself from being hit by similar threats.

Nissan – The compromise of private information for 100,000 customers

Initially disclosed on the 5th of December 2023, Nissan has now announced that the cyberattack that saw their customer data stolen, looks to have impacted more customers than initially thought.

“We now know the list of affected individuals includes some of Nissan's customers (including customers of our Mitsubishi, Renault, Skyline, Infiniti, LDV and RAM branded finance businesses), dealers, and some current and former employees," the company said.  In total, they have said that they expect to formally notify approximately 100,000 individuals about the cyberbreach over the coming weeks.

Just like previous breaches we’ve reported on – such as the Optus breach from 2022³ – information that was stolen unfortunately also included government information.  Due to it being Nissan’s corporate and financial services business units that were hit, in at least 10 percent of cases some form of government information was stolen. This information included 4,000 Medicare cards, 7,500 drivers’ licences, 220 passports and 1,300 tax file numbers⁴. 

Much like in the previously reported Optus case, we recommend that our readers take action to replace their documents if they believe their data may have been stolen as part of this breach.  Nissan has also offered to assist with this, offering reimbursement for the costs of replacing government IDs where it has been “recommended by the relevant issuing authority”.

After the initial announcement by Nissan about the breach in December, around two weeks later, the Akira Ransomware Gang took responsibility for the cyberattack⁵.  In their own announcement, they claimed that their operators stole around 100 GB of documents in total from Nissan’s systems.  They had stated that they had contacted Nissan and threatened to leak the sensitive data online, however, as their ransom negotiations had failed and Nissan had either refused to engage or pay the ransom, that they would be releasing the data.  "They seem not to be very interested in the data, so we will upload it for you within a few days," they stated.  "You will find docs with personal information of their employees in the archives and much other interested stuff like NDAs, projects, information about clients and partners etc."

To some, this may seem careless on the part of Nissan, however, the Australian government has long been considering new laws to make it illegal for companies to pay these sorts of cybercriminals.  Whilst it may arguably place the customers whose data was stolen at more risk, it’s due to these sorts of ransomware payments that these attacks continue to increase and proliferate, increasing the threat of ransomware for everyone.

However, we’ve yet to touch on the actual attack-vector that was used, that’s to say how the attackers were able to break in and gain access to this information in the first place.

How did they break in and what can be learned? Don’t use customer data on development systems

The actual attack-vector used in this case was different to the other recent incidents that we’ve written about.  As reported by Tech Radar¹ in their report of the incident to the Office of the Maine Attorney General, they “did not exactly take responsibility for the incident” - instead they pointed to a “misconfigured database belonging to a third-party vendor” as being the cause of the breach.

Specifically, they stated that last year they had “given a software development company customer data, which was needed in the process of developing and testing software for the carmaker”.  They stated that the data was poorly stored and poorly protected, likely resulting in a third-party gaining access and stealing the information.

"During our investigation, on September 26, 2022 we determined that this incident likely resulted in the unauthorised access or acquisition of our data, including some personal information belonging to Nissan customers," they noted.  "Specifically, the data embedded within the code during software testing was unintentionally and temporarily stored in a cloud-based public repository."

However, one issue with this statement by Nissan is that even if the breach was actually of the systems of a third-party, best practice dictates that PII (Personally Identifiable Information) should never be used in development or testing environments.  This is primarily in place due to privacy concerns, especially if third-party developers are involved, but it also exists to prevent these sorts of situations from occurring. 

Non-production and testing systems are often not placed behind the same level of protection that production systems usually have in place, meaning they are at higher risk of these sorts of cyberattacks.  Due to this, any information stored in these systems and used for testing purposes should be “dummy data”, or information that functions the same as real data but is generic non-identifiable information.

For our customers and newsletter readers, this is the lesson that should be taken away from this breach.  If you have any development websites that are copies of your production systems, make sure that they don’t contain any sensitive information, either about your organisation or your clients.

Have any question about the Nissan breach?

If you have any questions about this breach, or alternatively just want to have a chat about your own security posture, let us know!  We’re happy to provide guidance and advice about different ways you can increase the security of your own infrastructure.

You can contact us via phone on 1300 769 972 (Option #1) or alternatively reach out to us via email at sales@micron21.com 

Sources

1, Tech Radar, “Nissan confirms data breach, but says it isn't to blame”, <https://www.techradar.com/news/nissan-confirms-data-breach-but-says-it-isnt-to-blame>
2, IT News, “Nissan contacting 100,000 A/NZ customers after December breach”, <https://www.itnews.com.au/news/nissan-contacting-100000-a-nz-customers-after-december-breach-606113>  
3, Micron21, “Optus, Medibank, and now Harcourts – If they can be breached, what can you do to prevent it?”, <https://www.micron21.com/blog/optus-medibank-and-now-harcourts-if-they-can-be-breached-what-can-you-do-to-prevent-it>
4, Nissan, “Important update from Nissan Oceania”, <https://www.nissan.com.au/website-update.html>
5, Bleeping Computer, “Nissan Australia cyberattack claimed by Akira ransomware gang”, <https://www.bleepingcomputer.com/news/security/nissan-australia-cyberattack-claimed-by-akira-ransomware-gang/>